(St 

s 



PATENT SPECIFICATION <"> 1483 282 

(21) Application No. 52131/74 (22) Filed 2 Dec. 1974 

(31) Convention Application No. 7342706 

(32) Filed 30 Nov. 1973 in 

(33) France (FR) 

(44) Complete Specification published 17 Aug. 1977 

(51) INT CL 2 G06F 13/00 

(52) Index at acceptance 

G4A 10EX 13E 13M 17B4 17P6G6H6X APNDNR 

(54) APPARATUS FOR PROTECTING THE INFORMATION 
IN AN VI RTUAL MEMORY SYSTEM 
IN PROGRAMMED DATA PROCESSING APPARATUS 




(7!) We, COMPAGNIE INTER- 
NATIONALE POUR LTNFORMATTQUE 
CI 1 -HONEYWELL-BULL (formerly Com- 
pagnie Honeywell-Bull), a French Body 
5 Corporate, of 94 Avenue Gambetta, Pans 
75020, France, do hereby declare the 
invention, for which we pray that a patent 
may be granted to us, and the method by 
which it is to be performed, to be 
10 particularly described in and by the 
following statement: — 

The present invention concerns 
apparatus for protecting the information in 
a virtual memory system in programmed 
15 data processing apparatus. 

Several schemes have been utilized in the 
past in order to protect information. Some 
of them are detailed by Robert M. Graham 
in a paper entitled "Protection in an 
20 Information Processing Utility", published 
in CACM (May J 968). 

This type of memory protection is 
inadequate for present day 
multiprogramming systems because there is 
25 no provision for gradations of privilege or 
gradations of accessability, and severely 
limits the control over access to 
information. There should be provisions for 
different access rights to the different types 
30 of information. A partial answer to this 
problems is found in the concept of a 
memory having a segment as the unit of 
information to which access is controlled 
(see Patent Application No. 21630/74, 
35 (Serial No. 1,465,344), filed on 15 May 1974), 
Varying degrees of access to each segment 
is possible by providing for different types 
of privileges attached to each segment such 
as master/slave, write/no-wrile and 
40 execute/non-execute. However, this 
method of protecting the privacy and 
integrity of information does not take into 
account the user of the information. Under 
this type of protection, privilege is not 
45 accorded the user but the information 
being protected. Hence a user if he has 
access at all to a segment has access similar 
to all other users who have access to the 



segment. David C. Evans and Jean Yves 
LeClerc in a paper entitled "Address 50 
Mapping and the Control of Access in an 
Interactive Computer/* SJCC 1967, 
recognized the problem and attempted a 
solution. Evans and LeOcrc said in that 
article p. 23, "The user of a computing 55 
system should be able to interact arbitrarily 
with the system, his own computing 
processes, and other users in a controlled 
manner. He should have access to a large 
information storage and retrieval system 60 
called the file system. The file system 
should allow access by all users to 
information in a way which permits 
selectively controlled privacy and security 
of information. A user should be able to 65 
partition his computation into scrai- 
tndependent tasks having controlled 
communication and interaction among 
tasks. Such capability should reduce the 
human effort requked to construct* debug, 70 
and modify programs and should make 
possible increased reliability of programs. 
The system should not arbitrarily limit the 
use of input/output equipment or limit 
input/output programming by the user". 75 
Evans and LeClerc proposed conditioning 
access rights on the procedure-in- 
execution. The segment, under their 
proposal, is still the unit of information to 
which access is controlled; however, a 80 
segment's access control attributes are 
recorded substantially in a user-name 
•versus procedure tables whose entries are 
the access modes. Such a solution, 
however, has serious drawbacks. For one, 85 
the construction and updating of each 
segment s table of access control attributes 
presents a formidable task. For another, 
loo many uses of the segment and event 
occurrences must be foreseen. To 90 
overcome this problem access control by 
procedure-set was suggested. Under this 
suggestion, related procedures arc grouped 
into "sets of procedures*' and access rights 
to segments is based on the identity of the 95 
set to which the procedure seeking access 
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belongs. This method alleviated the 
problem of constructing and updating each 
segment's voluminous tables of access 
control attributes, but introduced the 
problem of determining to which set a given 
procedure belonged, particularly when a 
procedure was or could be a number of 
many sets. This ambiguity in defining sets, 
and the possible transitions between sets 
makes the implementation of access 
control based on "sets of procedures" 
extremely difficult. 

To overcome the difficulties encountered 
with the "set r technique a ring concept was 
developed. The ring concept groups the 
sets of procedures into rings that can 
unambiguously be ordered by increasing 
po\ver or level of privilege. By assigning a 
collection of sets to a collection of 
concentric rings, and assigning numbers to 
each ring with the smallest ring having the 
smallest number and each succeeding 
larger ring having a progressively greater 
number, different levels of privilege can 
then be unambiguously assigned to the user 
of a segment. Under this concept the 
innermost ring having the smallest number 
assigned to it has the greatest privilege. 
Hence it can be postulated that users in the 
lowest ring number can access information 
having higher ring numbers, but users in a 
higher ring number cannot access 
information having lower ring numbers or 
can access information in a lower ring 
number only in a specified manner. This 
palpable change or power or level of 
privilege with a change in rings is a concept 
which overcomes the objections associated 
to a change of sets. 

Mukics {Multiplexed /nformation and 
Computing Service) is an operating system 
developed primarily by Massachusetts 
Institute of Technology, in cooperation 
with General Electric Co. and others which 
first utilized the ring theory of protection in 
software on a converted Honeywell 635 
(Registered Trade Mark) computer and 
later on a Honeywell 645 (Registered Trade 
- Mark) computer. The Multics philosophy 
utilizes 64 rings of protection numbered as 
rings 0—63 and is set forth generally in a 
paper entitled "Access Control to the 
Multics Virtual Memory" published by 
Honeywell Information Systems Inc. in the 
Multics Technical Papers. Order No. 
AG95, Rev. O. A more detailed description 
of Multics ring protection is to be found on 
chapter 4 of a book entitled "The Multics 
System; An Examination of its Structure", 
by Elliott 1. Organick, published by MIT 
Press, and also in the Multics System 
Programmers Manual 1969, MIT Project 
MAC. Briefly, the Multics system does not 
utilize a "pure ring protection strategy" but 
rather employs the "ring bracket protection 



strategy" wherein a user's access rights with 
respect to a given segment are encoded in 
an access-mode and a triple of ring number 
(rl, r2, r3) called the user's "ring brackets" 
for a given segment. A quotation from 
pages 137 — 139 from the Multics Technical 
Paper entitled, "Access Control to the 
Multics Virtual Memory" sets out the rules 
and conditions for using and changing 
rings. 

This "ring protection concept" was first 
implemented with software techniques 
utilizing 64 separate rings. Subsequently an 
attempt was made to define a suitable 
hardware base for ring protection. The 
Honeywell 645 (Registered Trade Mark) 
computer represents a first such attempt 
The Honeywell 645 (Registered Trade 
Mark) system differs from the "ringed 
hardware" concepts described supra in 
several respects which when taken 
together, add up to the fact that the 
Honeywell 645 (Registered Trade Mark) is 
a 2-ring rather than a 64-ring machine, and 
has in iieu of a "ring register", a master 
mode and a slave mode, which imparts 
greater power to the processor when in 
master mode than when in slave mode. 
"The access control field of the 645 , s SDW 
(segment descriptor word) contains no 
information about rings; in particular its 
does not contain ring brackets. It does, 
however, contain either: 

a) access-mode information possibly 
including either of the two descriptors; 

accessible in master mode only, 
master modejprocedurc; 

b) the speciffcation of one of eight 
special 'directed* faults (traps) which is to 
occur whenever the segment descriptor 
word (SDW) is accessed. 

"The procedure is only *in master mode' 
when executing a procedure whose SDW 
indicates a "master mode procedure*. The 
processor may enter master mode while 
executing a slave mode procedure by. 

faulting, 

taking an interrupt". 

"The 645 processor's access control 
machinery interprets the SDW during the 
addressing cycle and causes the appropriate 
action to occur depending on the SDW and 
(usually) on the attempted access, as 
follows: 

a. If the SDW implies a particular 
"directed fault", then that fault occurs. 

b. Otherwise, if the SDW does nor 
permit the attempted access, the 
appropriate access violation fault occurs. 

c. Otherwise, the SDW permits the 
attempted access and the access is 
performed. 

"When a fault occurs, the 645 enters 
master mode and transfers control to the 
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appropriate master mode fault handling 
procedure". (Access Control to the Multics 
Virtual Memory, supra pps. 157 — 158). 
Another paper by Michael D. Schroeder 

5 and Jerome H. Saltzer entitled "A 
Hardware Architecture for Implementing 
Protection Rings 1 * published in 
Communications of the ACM, March 1972 
Vol. 15, No. 3, sets forth background and 

10 theory of ring protection and describes a 
hardware implementation of "ring 
protection". 

Because the Multics and Honeywell 645 
version of ring protection was implemented 

15 mainly in software, considerable operating 
system supervisor overhead was entailed 
particularly when calls to greater or lesser 
power were made by trapping to a 
supervisor procedure. What was required 

20 was an access control mechanism which 
had the functional capability to perform 
effectively its information protection 
function, was relatively simple in operation, 
was economic to build, operate and 

25 maintain, and did not restrict programming 
generality. The Honeywell 6000 
(Registered Trade Mark) computer system 
met these requirements by implementing 
most of the ring protection mechanism in 

30 hardware. Hence special access checking 
logic, integrated with the segmented 
addressing hardware was provided to 
validate each virtual memory reference, 
and also some special instructions for 

35 changing the ring of execution. However 
certain portions of the ring system 
particularly outward calls and returns or 
calls to a lesser power and returns 
therefrom presented problems which 

40 required the ring protection function to be 
performed by transferring control to a 
supervisor. What is now needed are further 
improvements in hardware and techniques 
that will permit a full implementation of 

45 ring protection in hardware/firmware and 
will meet the criteria of functional 
capability, economy, simplicity and 
programming generality. 

Accordingly the present invention has for 

50 an object to provide an improved computer 
ring protection mechanism. 

Accordingly the present invention 
consists in an internally programmed data 
processing apparatus CPU having a virtual 

55 memory system, and being responsive to 
internally stored instruction words for 
processing information and having stored in 
said virtual memory system a plurality of 
different types of groups of information 

60 each information group- type associated 
with an address space bounded by a 
segment having adjustable bounds, and 
comprising means for protecting the 
information in said-virtual memory system 

65 from unauthorized users by restricting 



accessibility to the information in 
accordance to levels of privilege, said 
means comprising in combination with an 
access checking mechanism: 

(a) first means arranged in operation to 70 
store in said virtual memory system at least 
one segment table comprising a plurality of 
segment descriptors with each segment 
descriptor being associated with a 
predetermined one of said segments and 75 
each segment descriptor having a 
predetermined format containing an access 
information element and a base address 
element in predetermined positions of said 
format, said base address element being 80 
used for locating in said virtual memory 
system the starting location of a selected 
one of said segments, and said access 
information element for specifying the 
minimum level of privilege required for a g5 
predetermined type of access that is 
permitted in a selected one of said 
segments: 

(b) a plurality of second means having a 
predetermined format, communicating 90 
with said first means, arranged to store in a 
predetermined portion of said second 
means, a segment number SEG for 
identifying a segment table and the location 

of a segment descriptor within said segment 95 
table, said second means also being 
arranged to store in a predetermined other 
portion of said second means, an offset 
address within the segment identified by 
said segment descriptor said offset address 100 
locating from said segment base the first 
byte of a word within said segment; 

fc) third means responsive to an address 
syllable element of an instruction being 
executed for addressing one of said 105 
plurality of second means; 

(d) fourth means arranged to store a 
displacement from said address syllable; 

(e) fifth means, communicating with said 
first, second, third and fourth means, 1 10 
arranged to add the displacement D and 
said base address to said offset; and, 

(0 sixth means responsive to said access 
information element in a selected one of 
said segment descriptors, restricting the 115 
accessaoility to the segment associated with 
said selected one of said segment 
descriptors in accordance to the level of 
privilege and the type of access specified in 
said access information element, wherein 120 
each group-type of information is 
associated with a predetermined ring 
number indicative of a level of privilege 
said legel of privilege decreasing as the 
associated ring number increases 125 
comprising means for determining the 
maximum effective address ring number 
EAR (i.e. minimum level of privilege) of a 
selected process to access a selected group 
of information, said means comprising; 130 
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(a) first means to store first information 
indicating the maximum ring number RD 
(i.e. minimum level of privilege) required to 
read information from said selected group; 
5 (b) second means to store second 
information indicating the maximum ring 
number WR (j.e. minimum level of 
priviiecc) required to write information into 
said selected group; 
10 (c) third means to store third 
information indicating the maximum ring 
number MAXR (i.e. minimum level of 
privilege) required to process information 
from said selected group; and, 
15 (d) fourth means communicating with 
said first, second and third means, to 
determine the maximum of the contents of 
said first, second and third means whereby 
the effective address ring number EAR is 
20 generated. 

The present invention, however, both as 
to organization and operation thereof may 
best be understood by reference to the 
following description which is given by way 
25 of example in conjunction with the 
accompanying drawings in which: 

Figure I is a block diagram of a computer 
system utilizing the invention. 

Figure 2 is a schematic diagram 
W illustrating the levels of privilege of the 
invention. 

Figure 3 is a flow diagram of the 
segmented address scheme utilized by the 
invention. 

35 Figures 4A — 4J are schematic diagrams 
of various novel hardware structures 
utilized in the invention. 

Figure 5 is a schematic diagram of the 
computer ring protection hardware. 
40 Figure 6 is a schematic diagram of the 
computer segmented addressing hardware. 

Figures 7a— 7h and Figures 8a— 8c are 
detailed logic block diagrams of the ring 
protection hardware. 
5 9k is a legend of the symbols 

utilized in the diagrams of the invention. 

Figure 10 is a schematic diagram of three 
stack segments, one each for ring 0, 1 and 3 
respectively. 
50 figure 1 1 A shows the format of the Enter 
Procedure instruction. 

Figure 1 1 B shows the formal of a 
procedure descriptor. 
Figure I IC shows the format of a gating 
» procedure descriptor GPD the first word of 
the segment containing the procedure 
descriptors. 

Figure 1 1 D shows the format of the Exit 
Procedure instruction. 
60 Figure 12 is a now diagram of a portion 
of the Enter Instruction pertaining to ring 
crossing and ring checking. 

Figure 13 schematically shows a segment 
descriptor and the segment containing 
<>-> procedure descriptors. 



Hgures 14—16 are flow diagrams 
showing various operations that are 
performed when the Enter Procedure 
instruction is executed. 

Figure 17 is a flow chart of the Exit 70 
Instruction. 

As previously discussed the ring concept 
of information protection was originated on 
MULTICS and implemented on various 
Honeywell (Registered Trade Mark) 75 
Computer Systems. The original MULTICS 
concept required 64 rings or level of 
privilege and later implementation had the 
equivalent of two rings on the Honeywell 
645 and 8 rings on the Honeywell 6000 80 
(Registered Trade Mark). The embodiment 
described herein groups data and 
procedure segments in the system into a 
hierarchy of 4 rings or classes. (Refer to 
Figure 2). The 4 rings or privilege levels are 85 
identified by integers 0—3; each ring 
represents a level of privilege in the system 
with level 0 having the most privilege and 
level 3 the least. Level 0 is known as the 
inner ring and level 3 as the outer ring. The 90 
basic notion as previously discussed is that 
a procedure belonging to an inner ring has 
free access to data in an outer ring. 
Conversely a procedure in an outer ring 
cannot access data in an inner ring without 95 
incurring a protection violation exception. 
Transfer of control among procedures is 
monitored by a protection mechanism such 
that a procedure execution m an outer ring 
cannot directly branch to a procedure in an 100 
mner ring. This type of control transfer is 
possible only by execution of a special 
"procedure-call" instruction. This 
instruction is protected against misuse in a 
number of ways. First, a gating mechanism 105 
is aviiabie to ensure that procedures are 
entered only at planned entry points called 
gates when crossing rings. The segment 
descriptor of such a procedure contains a 
gate bit indicating that procedures in this 1 10 
segment can be entered only via gates; 
information regarding these gates is 
contained at the beginning of the segment 
and is used by the hardware to cause entry 
at a legal entry -point. The procedure itself 1 15 
must then verify (in a way which, of 
necessity depends on the function of the 
procedure) that it is being legitimately 
called. A further hardward protection 
mechanism is available in the case that the 120 
calling procedure supplies an address as a 
parameter; it is then possible that the more 
privileged procedure would invalidly 
modify information at this address which 
the less privileged caller could not have 125 
done, since the ring mechanism would have 
denied him access; an address validation 
instruction is available to avoid this 
possibility. 

An important convention is required 130 
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here in order to protect the procedure call 
mechanism. This states that it is not in 
general permissible to use this mechanism 
lo call a procedure in a less privileged ring 
5 and return to the more privileged one. This 
restriction is necessary since there is no 
assurance that the procedure in the higher 
ring will, in fact, return; that it will not, 
accidentally or maliciously, destroy 
10 information that the more privileged 
procedure is relying upon; or that it will 
not, accidentally or maliciously, violate the 
security of the stack (see GLOSSARY for 
definition). Any of these could lead to 
15 unpredictable results and crash the system. 
The level of privilege are quite 
independent of the process control 
mechanism and there is no notion here of 
privileged and non-privileged processes as 
20 in the IBM system 360 (Registered Trade 
Mark). Instead the same process can 
execute procedures at different levels of 
privilege (rings) subject to the restrictions 
imposed by the ring mechanism. In this 
25 sense the ring mechanism can be viewed as 
a method for subdividing the total address 
space assigned to a process according to 
level of privilege. 
The ring mechanism defined herein 
30 permits the same segment to belong to up 
to 3 different rings at the same time Le. 
there are 3 ring numbers in each segment 
descriptor, one for each type of possible 
access. Thus the same segment can be in 
35 ring one with respect to "write" access, ring 
two with respect to "execute" access and 
ring three with respect to "read" access. 
One obvious use for this is in the case of a 
procedure segment which can be written 
40 only by ring zero (perhaps the loader) but 
can be executed in ring three. 

Of the four available rings, two are 
allocated to the operating system and two 
to users. Ring zero, the most privileged 
45 ring, is restricted to those operating system 
segments which are critical lo the operation 
of the whole system. These segments form 
the hard core whose correctness at all times 
is vital to avoid disaster. Included would be 
50 the system information base, those 
procedures dealing with the organisation of 
physical memory or the initiation of 
physical data transfer operations, and the 
mechanisms which make the system 
55 function, like the "exception supervisor, 
the scheduler, and the resource 
management'*. 

Ring one contains a much greater 
volume of operating system segments 
oO whose failure would not lead to catastrophe 
but would allow recovery. Included herein 
are the language translators, data and 
message management, and job and process 
management. Through the availability of 
65 two rings for the operating system, the 



problem of maintaining system integrity is 
made more tractable, since the smaller hard 
core which is critical is isolated and can be 
most carefully protected. 

Rings two and three are available to the 70 
user to assign according to his requirement. 
Two important possibilities are debugging 
and proprietary packages. Programs being 
debugged may be assigned to ring two while 
checked out programs and data with which 75 
they work may be in ring two; in this way 
the effect or errors may be locaiized- 
Proprietary programs may be protected 
from their users By being placed in ring two 
while the latter occupy ring three. In these 80 
and other ways, these two rings may be 
flexibly used in applications. 

The General Rules of the Ring System 

1. A procedure in an inner ring such as 85 
ring 2 on Figure 2 has free access to data in 

an outer ring such as ring 3 and a legal 
access (arrow 201) results. Conversely a 
procedure in an outer ring such as riog 3 
cannot access data in an inner ring such as 90 
ring 2 and an attempt to do so results in an 
illegal access farrow 202). 

2. A procedure in an outer ring such as 
ring 3 can branch to an inner ring such as 
ring I via gate 204 which results in a legal 95 
branch 203, but a procedure operating in an 
inner ring such as ring 2 may not branch to 

an outer ring such as ring X 

3. Each segment containing data is 
assigned 2 ring values, one for read (RD) 100 
and one for write (WR). These ring values 
specify the maximum ring value in which a 
procedure may execute when accessing the 
data in either the read or write mode. 

Each time a procedure instruction is 105 
executed, the procedure's ring number 
(effective address ring, EAR) is checked 
against the ring numbers assigned to the 
segment containing the referenced data. 
The EAR is the maximum number of 110 
process ring numbers in the processor 
instruction counter (see later description) 
and all rin§ numbers in base registers and 
data descriptors found in the addressing 
path. Access to the data is granted or 115 
denied based on a comparison of the ring 
numbers. For example, if a system table 
exists in a segment having a maximum 
read/ring value of 3 and a maximum 
write/ring value of I, then a user procedure 120 
executing in ring 3 may read the table but 
may not update the table by writing therein. 

Procedure Calls and the Stack Mechanism: 

The procedure call and stack mechanism 125 
is an apparatus being described herein 
Procedure calls are used to pass from one 
procedure to another; to allow user 
procedures to employ operating system 
services; and to achieve a modular 130 
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structure within the operating system. A 
procedure call is effected by instructions 
and a hardware recognized entity called a 
stack. 

5 A stack is a mechanism that accepts, 
stores and allows retrieval of data on a last- 
in-first-out basis. Stacks reside in special 
., segments called stack segments. A stack 
segment consists of a number of contiguous 
10 parts called stack frames which arc 
dynamically allocated to each procedure. 
The first stack frame is loaded into the low 
end of the segment and succeeding frames 
are loaded after it. The last frame loaded is 
15 considered the top of the stack. A T- 
register I 14 (see Figure 1) locates the top of 
the stack for the currently active process. A 
virtual T-register exists in the process 
control block (PCB) of all other processes 
20 in the system. 

A stack frame consists of three areas: a 
work area in which to store variables, a save 
area in which to save the contents of 
registers, and a communications area in 
25 which to pass parameters between 
procedures. Prior to a procedure call, the 
user must specify those registers he wishes 
saved and he must load into the 
communications area the parameters to be 
30 passed to the called procedure. When the 
call is made, the hardware saves the 
contents of the instruction counter and 
specified base registers to facilitate a return 
from the called procedure. 
35 Each procedure call creates a stack 
frame within a stack segment and 
subsequent calls create additional frames. 
Each exit from one of these called 
procedures causes a stack frame to be 
40 deleted from the stack. Thus, a history of 
calls is maintained which facilitates orderly 
returns. 

To ensure protection between 
procedures executing in different rings, 

45 different stack segments are used. There is 
one stack segment corresponding to each 
protection ring per process. A process 
control block (PCB) contains three stack 
base words (SBW) which point to the start 

50 of the stack segment for rings 0, 1 and 2 
associated with the process. The ring 3 
stack segment can never be entered by an 
inward call; therefore, its stack starting 
address is not required in the PCB. 

55 The procedure call is used by users who 
have written their programs in a modular 
way to pass from one program module to 
another. It is used by user programs to avail 
themselves of operating system services. It 

60 is used by the operating system itself to 
achieve a responsive modular structure. 
The procedure call as is described in the 
above referenced patent application is 
effected by hardware instructions and the 

65 hardware recognizable stack mechanism. 



The main requirements on a procedure 
call mechanism are: 

1. Check the caller's right to call the 
caller; 

2. Save the status of the caller which 70 
includes saving registers, instruction 
counter (for return), and other status bits; 

3. Allow for the passing of parameters; 

4. Determine valid entry point for the 
called procedure; 75 

5. Make any necessary adjustments in 
the addressing mechanism; 

6. Enter the new procedure. 

When the called procedure terminates or 
exits, whatever was done in the call must be 80 
undone so that the status of the calling 
procedure is restored to what it was before 
the call. 

As a preliminary to making a procedure 
call, the instruction PREPARE STACK is 85 
executed. This instruction causes those 
registers specified by the programmer in 
the instruction to be saved in the stack. It 
causes the status register (see Figure !) to 
be saved, and provides the programmer 90 
with a pointer to parameter space which he 
may now load with information to be 
passed to the called procedure. 

Another instruction ENTER 
PROCEDURE permits the procedure call 95 
via the following steps corresponding to the 
requirement specified above: 

1. Ring checking — the caller's ring is 
checked to make sure that this ring may call 

the new procedure; the call must be to a 100 
smaller or equal ring number; and if ring 
crossing does occur the new procedure 
must be gated through a gate 204 of Figure 

2. The new ring number will then be that 

of the called procedure. ]Q5 

2. The instruction counter is saved; 

3. Base register 0 (see Figure 1) is made 
to point effectively to the parameters being 
passed; 

4. The entry-point of the called HO 
procedure is obtained from a procedure 
descriptor whose address is con- 
tained in the ENTER PROCEDURE 
INSTRUCTION; 

5. A point to linkage information is 115 
loaded in base register number 7. 

6. The new procedure is entered by 
loading the new rim* number and the 
address of the entry-point in the instruction 
counter. 120 

The remainder of the current stack- 
frame is also available to the called 
procedure for storage of local variables. 

When the called procedure wishes to 
return, it executes the instruction EXIT 125 
PROCEDURE. The registers and the 
instruction counter are then restored from 
their saving areas in the stack. 

Referring to Figure I there is shown a 
block diagram and a computer hardware 130 
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system utilizing the invention. A main 
memory 101 is comprised of four modules 
of metal-oxide semi-conductor (MOS) 
memory. The four memory modules 1—4 
5 are interfaced to the central processor unit 
100 via the main store sequencer 102. The 
four main memory modules I — 4 are also 
interfaced to the peripheral subsystem such 
as magnetic tape units and disk drive units 

10 (not shown) via the main store sequencer 
1Q2 and the 10C (not shown). The main 
store sequencer gives the capability of 
providing access to and control of all four 
memory modules. 

15 Operations of the CPU are controlled by 
a read only memory ROM, herein called 
the control store unit 1 10. 

The control store interface adapter 109 
communicates with the control store unit 

20 HO, the data mangagemcnt unit 106 ( the 
address control unit 107 and the arithmetic 
logic unit 1 12 for directing the operation of 
the control store memory. Trie control 
store interface adapter 109 includes logic 

25 for control store address modification, 
testing, error checking, and hardware 
address generation. Hardware address 
generation is utilized generally for 
developing the starting address of error 

30 sequencers or for the initialization 
sequence. 

The buffer store memory 104 is utilized 
to store the most frequently used or most 
recently used information that is being 

35 processed by the CPU. 

The data management unit 106 provides 
the interface between the CPU 100 and 
main memory 101 and/or buffer store 
memory 104. During a memory read 

40 operation, information may be retrieved 
from main memory or buffer store memory. 
It is the responsibility of the data 
management unit to recognize which unit 
contains the information and strobe the 

45 information into the CPU registers at the 
proper time. The data management unit 
also performs the masking during partial 
write operations. 
The instruction fetch unit 108 which 

50 interfaces with the data management unit 
106, the address control unit 107, the 
arithmetic and logic unit 112 and the 
control store unit 1 10 is responsible for 
keeping the CPU 100 supplied with 

55 instructions. 

The address control unit 107 
communicates with the instruction fetch 
unit 108, the buffer store directory 105, the 
main store sequencer 102 t the arithmetic 

60 logic unit 112, the data management unit 
105, and the control store unit 110 via the 
control store interface adapter 109. The 
address control unit 107 is responsible for 
all address development in the CPU. 

65 Interfacing with the address control unit 



107, the instruction fetch unit 108 and the 
control store unit 1 10 is the arithmetic logic 
unit 112 which is the primary work area of 
the CPU 100. Its primary function is to 
perform the arithmetic operations and data -jq 
manipulations required of the CPU. 

Associated with the arithmetic logic unit 
112 and the control store unit 110 is the 
local store unit 111 which typically is 
comprised of a 256-location (32 bits per 75 
location) solid state memory and the 
selection and read/write logic for the 
memory. The local store memory 111 is 
used to store CPU control information and 
maintain ability information. In addition, 80 
the local store memory 111 contains 
working locations which are primarily used 
for temporary storage of operands and 
partial results during data manipulation. 

The central processing unit 100 typically 85 
contains 8 base registers (BR) 116 which 
are used in the process of address 
computation to define a segment number, 
an offset, and a ring number. The offset is a 
pointer within the segment and the ring 90 
number is used in the address validity 
calculation to determine access rights for 
a particular reference to a segment. 

The instruction counter 118 
communicates with the main memory local 95 
register (MLR) 103 and with the instruction 
fetch unit 108, and is a 32-bit register which 
contains the address of the next instruction, 
and the current ring number of the process 
(PRN). Also contained in the central 100 
processing unit is a T register 114 which 
also interfaces with the instruction fetch 
unit 108 and is typically a 32-bit register 
containing a segment number and a 16-brt 
or 22-bit positive integer defining the 105 
relative address of the top of the procedure 
stack. The status register 115 is an 8-bit 
register in the CPU which among other 
things contains the last ring number — i.e. 
the previous value of the process ring 110 
number (PRN). 

The main memory 101 is addressed by 
the memory address register (MAR) 119, 
and the information addressee by (MAR) 
1 1 9 is fetched and temporarily stored in the 115 
memory local register (MLR) 103. 
' Referring now to Figure 3 there is shown 
a flow diagram of the general rules for 
segmented address development shown in 
detail in the above mentioned copending 120 
patent application No. 2163fV74 t Serial No. 
1,465,344. Figure 3 when read in 
conjunction with the above referenced 
patent application is self-explanatory. 
There is however one major difference 125 
between the address development as shown 
on Figure 3 to that of the above mentioned 
application and that is that in the address 
development of Figure 3 of the instant 
application as many as 16 levels of 130 
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indirection may be utilized in the address 
development whereas in the above 
referenced application the levels of 
indirection were limited to a maximum of 
5 two. This of course is a matter of choice 
with the designer and in no way alters the 
high level inventive concept. 

Referring now to Figures 4A — 4J, 
Figures 4A and 4B show the format of the 
10 instruction counter designated by reference 
numeral 118 on Figure 1. The instruction 
counter (IC) 1 18 is a 32-bit register which 
contains the address of the next instruction, 
and the current ring number of the process 
1 5 (PRN). Referring specifically to Figures 4A 
and 4B the TAG is a 2-bit field which 
corresponds to the TAG field of data 
descriptors shown and described in the 
above reference application entitled 
20 ^Segmented Address Development". PRN 
is a 2-bit field which defines the current ring 
number of the process to be used in 
determination of access rights to main 
storage. SEG is typically either a 12-bit or a 
25 6-bit field which defines the segment 
number where instructions are being 
executed. The OFFSET is typically either a 
16-bit or a 22-bit field which defines the 
address of the instruction within the 
30 segment SEG. 

Figures 4C— A¥ show the format of 
segment descriptors with Figures 4C and 
4D showing the first and second word of a 
direct segment descriptor whereas figures 
35 4E and 4F show the first and second word 
of an indirect segment descriptor. Segment 
descriptors are two words long each word 
comprised of 32 bits. Referring to Figures 
4C — 4D which show the first and second 
40 word respectively of a direct segment 
descriptor, P is a presence bit. If P equals 
one, the segment defined by the segment 
descriptor is present in main storage. If P 
equals zero, tne segment is not present and 
45 a reference to the segment descriptor 
causes a missing segment exception. All 
other fields in a segment descriptor have 
meaning only if P equals one. A is the 
availability bit. If A equals zero, the 
50 segment is unavailable (or locked) and a 
reference to the segment causes an 
unavailable segment exception. If A equals 
one, the segment is available (or unlocked, 
and can be accessed). I is the indirection 
55 bit. If 1 equals zero, the segment descriptor 
is direct. If I equals one, the segment 
descriptor is indirect. U is the used bit. If U 
equals zero, the segment has not been 
accessed. If U equals one, the segment has 
60 been accessed. U is set equal to one by any 
segment access. W is the written bit If W 
equals zero, no write operation has been 
performed on the segment. If W equals one, 
a WRITE operation has been performed on 
65 the segment. W is set to one by any WRITE 
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operation. GS is the gating-semaphore bits. 
When the procedure call mechanism 
referred to above requires that the segment 
be a gating segment or when the process 
communication mechanism (not shown) 70 
requires that the segment be a segment 
descriptor segment (SD) the GS bits are 
examined. To be a valid gating segment, the 
GS bits must have the value 10. To be a 
valid SD segment, the GS bits must have 75 
the value 01. If a gating or SD segment is 
not required, these bits are ignored. The 
BASE is a 24-bit field which defines the 
absolute address in quadruple words of the 
first bvte of the segment. This field is go 
multiplied by 16 to compute the byte 
address of the segment base. The SIZE is a 
field which is used to compute the segment 
size. If the segment table number, 
subsequently referred to as STN, is greater gs 
or equal to zero but less than or equal to six, 
the SIZE field is 18 bits long. The STN is a 
field indicating the segment table entry STE 
for selecting a segment descriptor. If the 
STN is greater than or equal to 8 but less 90 
than or equal to 15. the SIZE field is 12 bits 
long. The number of bytes in the segment is 
equal to 16 times (SlZE+1). If SIZE equals 
zero, the segment size is 16 bytes. RD is the 
read access field. This is a 2-bit field which 95 
specifies the maximum EAR (effective 
address ring number) for which a read 
operation is permitted on the segment (A 
procedure is always permitted to read its 
own segment if EAR equals PRN). WR is 100 
the write access field. This is a 2-bk field 
which specifies the maximum EAR for 
which a write operation is permitted on die 
segment and the minimum PRN at which 
the segment may be executed. MAXR is 105 
the maximum ring number. This is a 2-bit 
field which specifies the maximum PRN at 
which the segment may be executed. WP is 
the write permission bit. This bit indicates 
whether a WRITE operation may be 110 
performed on the segment. If WP equals 
zero, no WRITE operation may be 
performed. If WP equals one, a WRITE 
operation may be performed if EAR is 
greater than or equal to zero but less than 1 15 
or equal to WR. EP is the execute 
permission bit. This bit specifies whether 
the segment may be executed. If EP equals 
zero, the segment may not be executed. If 
EP equals one, the segment may be 120 
executed at any PRN for which PRN is 
greater than or equal to WR but less than or 
equal to MAXR. MBZ is a special field 
which must be set to zero by software when 
the field is created, before its initial use by 125 
hardware. 

Referring to Figures 4E — 4F the 
definitions of the various fields are similar 
as above however word 0 includes a 
LOCATION field and word I includes a 130 
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RSU field. The LOCATION field is a 28-bit 
field which defines the absolute address of a 
direct segment descriptor. The value in the 
LOCATION field must be a muliple of 8. 

5 The RSU field is a special field which is 
reserved for software use. 

Figures 4G — 4H show the format of the 
base registers (BR) which are used in the 
process of address computation to define a 

10 segment table number, a segment table 
entry number, an offset, and a ring number. 
There are typically 8 base registers as 
shown by reference numeral 116 on Figure 
* 1. A base register is specified or identified 

15 as base register 0 through 7. The size of a 
base register is 32 bits long. The base 
register format of Figure 4G is utilized for 
small segment i.e. where STN is greater or 
equal to 8 but less than or equal to 15, 

20 whereas the format of base register of 
Figure 4H is utilized for large segments i.e. 
STN is greater or equal to zero but less than 
or equal to six. Referring to Figures 
4G-^H, TAG is a 2-bit field which 

25 corresponds to the TAG of a data 
descriptor referenced previously. RING is 
a 2-bit field which contains the nng number 
associated with the segmented address for 
protection purposes. SEG is a field 

30 previously referred to, which identifies a 
segment described in a segment table. STN 
is the segment table number, and STE is the 
segment table entry number. OFFSET is a 
16-bit field or a 22-bit field depending on 

35 segment table number, which defines a 
positive integer. The OFFSET is used in the 
process of address development as a 
pointer within a segment. 
Referring to Figures 41— 41 there is 

40 shown the formal of the T-register. The T* 
register is a 32-bit register containing a 
segment number and a 16-brt or 22-bit 
positive integer defining the relative 
address of the top of the procedure stack 

45 previously mentioned. The T-register is 
shown by reference numeral 1 14 on Figure 
I. The various fields of the T-register have 
the same definition as described above. 
Referring now to Figures 3 and 4A — 4J a 

50 more defined description of absolute 
address calculation and access checking is 
made. In general absolute address 
calculation consists of fetching a segment 
descriptor specified by STN and STE and 

55 using the segment descriptors in four ways: 
access checking, computation of the 
absolute address, bound checking, and 
updating (U and W flags). As described in 
copending patent application No. 21630/74, 

60 (Serial No. 1,465,344) the absolute address 
may be direct or indirect and is derived by 
first deriving an effective address from 
STN, STE, and SRA (segment relative 
address). STN is extracted from bits 4 

65 through 8 of the base register BR specified 



in the address syllable of an instruction. If 
STN is 7, an out of segment table word 
array exception is generated. STE is 
extracted from the base register specified in 
the address syllable. If STN 4:4 (i.e., 70 
beginning at bit 4 and including the next 4 
bits) is greater than or equal to zero or less 
than or equal to six, STE is in a base register 
bits 8 and 9. If STN 4:4 (i.e. 4 bits beginning 
at bit 4) is greater than or equal to 8 but less 75 
than or equal to 1 5, STE is in a base register 
BR bits 8 through 15, The segment relative 
address SRA for direct addressing is 
computed by adding the displacement in 
the address syllable; the offset of the base 80 
register BR; and the 32-bit contents of an 
index register, if specified in the address 
syllable. The sum of these three quantities 
is a 32-bit unsigned binary integer which 
must be less than the segment size 85 
appropriate to the segment STN, STE, 

Indirect addressing is developed by 
fetching a data descriptor and developing 
an address from that descriptor. The 
effective address of the data descriptor is 90 
computed as in the direct addressing case 
with the exception that the index register 
contents are not used. In developing the 
address from the data descriptor the 
effective address may be computed by an 95 
indirection to segment ITS descriptor and 
an indirection to base ITBB desc riptor . If 
the descriptor is ITS the STN and STE are 
extracted from the descriptor in the same 
manner as from a base register. SRA is 100 
computed by adding the displacement in 
the descriptor and the contents of an index 
register as specified in the syllable. If the 
descriptor is an ITBB descriptor then STN 
and STE are extracted from the base 105 
register specified in the BBR field (i.e. the 
base register implied by ITBB descriptor) 
of the descriptor as in direct addressing. 
SRA is computed by adding the 
displacement in the descriptor, the onset of 1 10 
the base register, and the contents of an 
index register is specified in the address 
syllable. 

As shown on Figure 3 the indirection 
process may be extended up to 16 levels. 1 15 

Every effective address contains 
protection information which is computed 
in address development and checks for 
access rights by the ring protection 
hardware of the absolute address 120 
calculation mechanism. The effective 
address contains protection information in 
the form • of an effective address ring 
number EAR (see Figures 2J and 2IC of 
above application No. 2!63(V74, (Serial No. 125 
1,465.344). The EAR is computed from the 
base register ring number BRN and from 
the current process ring number PRN by 
taking the maximum ring number. In 
developing the E A R for indirect addressing \ 30 
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a somewhat more tedious but essentially 
similar procedure as indirect addressing is 
used. In indirect addressing the EAR for 
extraction of the first descriptor (EAR 1) is 
5 once again the maximum of the ring 
number from the base register specified in 
the address syllable and the current process 
nng number PRN in the instruction counter 
1 l S J? r Fl B^rc 1 and stored in 00 register 5 1 2 
10 of Figure 5. The EAR for extraction of the 
second descriptor (EAR 2), of multiple 
level indirection is the maximum of: 
a. EAR 1; 

l ) * J T he rin S number in the first descriptor 
15 if indirection is indirection to segment; 

c The ring number from a base register 
1 16 utilized as a data base register BBR if 
the first descriptor is an indirection to 
segment descriptor ITBB. 
20 The EAR for extraction of the data of 
multiple level indirection is the maximum 
of: 

a. EAR 2: 

b. The ring number in the second 
25 descriptor if it is an indirection segment 

descriptor ITS; 

c The ring number in one of the base 
registers utilized as a data base register 
BBR if the second descriptor is an 
30 indirection to base descriptor ITBB. 

Referring now to Figures 5 and 6, the 
transfers and manipulation of the various 
type ring numbers will be described 
at the system level. Detailed logic block 
35 diagrams for effecting the transfers and 
operations of Figure 5 will be later 
described. Referring first to Figure 6 an 
associative memory 600 is utilized in 
segmented address development. The 
40 associative memory 600 comprises 
essentially a UAS associalor 609 which has 
circuitry which includes associative 
memory cells, bit sense amplifiers and 
drivers, and word sense amplifiers and 
45 drivers (not shown). A word or any part of a 
word contained in UAS associator 609 may 
be read, compared to another word with a 
match or no match signal generated 
. thereby, or be written cither in whole or in 
50 a selected part of the associator 609. For 
example, US register 607 may contain a 
segment number which may also be in the 
associative memory 600. A comparison is 
made with UAS associator 609 and if a 
55 match is found a "hit" results. The match 
or "hit" signal is provided to encoder 610. 
The function of encoder 610 is to transform 
the "hit" signal on one of the match lines to 
a 4 bit address. Encoder 610 provides this 4 
60 bit address to UAB associator buffer 61 1 so 
that the information contained in that 
particular location of UAB associator 
buffer 61 1 is selected. Information in UAB 
associator buffer 611 may be transferred to 
65 UV register 613 for temporary storage or 



for transfer to QA or QB bus 614 and 615 
respectively. By thus locating a prestored 
segment number of the associative memory 
600 (which may have been placed there 
after a generation of an absolute address) 70 
regeneration of the same address is not 
necessary. In the drawing of Figure 6, UAB 
associator buffer 61 1 is shown as storing a 
first and second word of a segment 
descriptor; however other types of 75 
information may just as well be stored 
therein. This buffer 61 i provides a function 
similar to that of buffer 104 in the more 
generalised diagram of Figure 1. 

As mentioned supra the development of 80 
an absolute address of an operand from an 
effective address is disclosed in patent 
application No. 21630/74, (Serial No. 
1,465,344). Briefly and with reference to 
Figure 6 any of 8 base registers 602 are 85 
addressed via UG and UH registers 603 and 
604 respectively which contain base register 
addresses from an instruction address 
syllable or base register specified by the 
instruction formats. The base register 602 90 
contain such information as TAG, base 
register ring number BRN, segment table 
number STN, segment table entry STE and 
OFFSET as shown or contained by base 
. registers 1 and 2 of the group of base 95 
registers 602. Writing into the base registers 
is performed under micro-op control by 
UWB logic 601. For example it is shown 
that information from the UM register 502 
of Figure 5 may be written into bit positions 100 
(2, 3) of a selected base register; also 
information from the QA bus may be 
written into the base registers and 
provisions are made to clear a selected base 
register i.e. write all zeroes. Reading out of |05 
any of the base registers is performed by 
UBR logic 605. In general the UBR logic 
605 permits the appropriate base register to 
be strobed out onto bus QA or QB, or into 
UN register 608. Note that UN register 608 1 10 
holds bits 8 through 31 of the base registers 
which is the OFFSET part of the segmented 
address. Moreover UBR logic 605 when 
addressed by an address contained in 
instruction buffer TB (not shown) reads out 1 15 
the segment number SEG (which is 
comprised of STN and STE) into US 
register 607 via UBS transfer logic 606. The 
comparison of the segment number SEG in 
US register 607 with the associative 120 
memory 600 may then be performed as 
previously described. It will be noted that 
bits (4—15) of QA bus 614 may also be read 
into or from US register 607. Similarly bits 
(8 — 31) from QA bus 6 14 may read into UN 125 
register 608. Also bits (9—11) of the US 
register 607 may be read into Q A bus 614 as 
denoted by US (9 — J 1) arrow (the arrows 
into various register and/or logic circuitry 
denote the source of data and that followed 1 30 
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by a number denote the bit numbers of that 
data). 

Referring now to Figures 5 and 6, a 2-bit 
UP register 501 stores the current process 

5 ring number PRN. The current process ring 
numbers PRN is obtained from bits 2 and 3 
of the instruction counter (1 18 or Figure 1) 
via bits IC (2—3) of the QA bus 614 of 
Figure 6. Bits IC (2—3) of QA bus 614 are 

10 transferred to 2-bit UV register 503 under 
control of a micro-operation UV9QA0. The 
micro-operations are obtained from micro- 
instructions in the control store unit 1 10. 
(On Figure 5 the dot surrounded by a circle 

15 indicates a micro-operation and the first 
two letters of the name of the micro- 
operation indicate the destination of the 
data to be transferred; the fourth and fifth 
letters indicate the source of the data 

20 transferred; the third character indicates 
whether a full or partial transfer is made 
with F indicating a full transfer while the 
sixth character indicates whether the signal 
doing the transferring is high or low with 

25 even numbers indicating a low signul and 
odd numbers indicating a high signal. As an 
example of the use of this convention bits 2 
and 3 on QA bus indicating the tail of the 
arrow QA (2, 3) indicate PRN is the PRN 

30 process ring number that is being 
transferred under control of the micro-op 
UV9QA0 which says the transfer is made to 
register UV, is a partial transfer of the bus 
QA t and the source of the data is the bus 

35 QA and is an unconditional transfer as 
indicated by the sixth character being 0. 
Transfer to UV register from QA bus source 
is unconditional. This 0 will be the 
corresponding seventh character in the 

40 logic file name of the subcommand 
UV9QA1^ Once the process ring number 
PRN is transferred from the QA bus 614 to 
the UV register 503 another transfer takes 
place under control of the micro-operation 

45 UM9UV0 from UV register 503 to UM 
register 502. Finally another transfer takes 
place from UM register 502 to UP register 
501 under control of a micro-operation 
UP9UM0. 

50 Two bit register UM 502 is utilized to 
generate the effective address ring number 
EAR during ITS and ITBB (Le. indirection 
to segment and indirection to base), 
(£AR=MAX (BRN, PRN, DRN./BBR 

55 (BRN) etc.) address formation for address 
syllable I and address syllable 2 type 
instruction format. The EAR is generated 
according to the rules previously 
enunciated by utilizing one or more tests 

60 shown in block 510 and the maximum of the 
rin§ number is obtained and stored in UM 
register 502 which stores the effective 
address ring number EAR (detailed logic or 
making the comparisons of block 510 are 

65 later shown and described in detail). The 



UO register is used to save address syllable 
1 effective address ring number EAR in the 
event the address syllable 2 is being utilized 
to extract EAR 2. 

Two-bit UV register 503 f and 2-bit UW 70 
register 504 is utilized mainly as storage for 
various ring numbers that are obtained 
from the outside of the ring checking 
hardware of Figure 5 and transferred or 
processed to other parts of the ring 75 
checking hardware. For example the base 
register ring number BRN is transferred 
from bit positions 2 and 3 of UBS transfer 
logic 606 to UV register 503 under control 
of the micro-operation UVFBS0; the go 
maximum ring number MAXR of word 2 of 
the segment descriptor (also shown stored 
in bits 36 and 37 of U A B associator buffer 
61 1) is transferred from UAB buffer 611 to 
UV register 503 under control of the micro- 85 
operation UVFABl; also bits 34 and 35 of 
UAB buffer 611 which is the write ring 
number WR is transferred to UV register 
503 under control of micro-operation 
UVFAB0. UW register 504 has similar 90 
transfers of other ring numbers from 
various parts of the system. For example 
bits 34 and 35 which are the write ring 
number WR of UAB buffer 6 1 1 may also be 
transferred to UW register 504 under 95 
control of micro-operation UWFABI; bits 
32 and 33, the read RD ring number of 
UAB buffer 61 1 may also be transferred to 
UW register 504 under control of micro- 
op UWFAB0; also bits 0 and I of QA bus tot) 
614 may be transferred to UW register 504 
under control of micro-operation 
UW9QA0. Note also several transfer paths 
of UW register 504 into UV register 503 
under control of the micro-operation 105 
UV9UW0: the transfer path of UV register 
503 into UM register 502 under control of 
micro-operation UM9UV0; the transfer 
path of UM register 502 into UP register 
501 under control of the micro-operation no 
UP9UM0; the transfer path of UP register 
501 into UM register 502 under control of 
micro-operation UM9UP0; the transfer 
path of UM register 502 into UO register 
512 under control of micro-operation 115 
UO9UM0; and finally the transfer path of 
UO register 512 into UM register 502 under 
control of the micro-operation UM9UO0. 

Briefly therefore UP register 501 holds 
the current process ring number PRN; UM 120 
register 502 and UO register 5 1 2 are utilized 
for transfer operations and also to generate 
the EAR; UV register 503 may shore for 
various purposes and at different times the 
current process ring number PRN, the base 1 25 
register ring number BRN, the maximum 
ring number MAXR, the write ring number 
WR, or the read ring number RD. UW 
register 504 may at various times hold the 
read ring number RD, the write ring no 
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number WR, and bits 0 and 1 of bus QA. 
UMR 505 is logic, the details of which are 
shown on Figure 8d, which compares the 
contents of registers UM and UV and 
5 produces the greater of the two values in 
the registers and this value is stored in UM 
register 502 under micro-operation control 
UMFMRO. This is one way of generating 
the effective address ring number EAR. 

10 UMR logic 505 may also produce the 
greater value of the contents of register UP 
or of bits 2 and 3 of UBS logic 606. This is 
another method and/or additional step in 
generating the effective address ring 

15 number EAR. UMR logic 505 is also 
utilized to determine whether or not a write 
violation has occurred by transferring a 
write ring number WR into UV register 503 
and then comparing the contents of the UM 

20 register 502 (holding EAR) with the 
contents of UV register 503 in order to 
determine which one has the greater 
contents. Since UM register 502 stores the 
effective address ring number EAR a 

25 comparison of the UM register and the UV 
register will indicate whether EAR is 
greater than WR or vice versa, ff WP (i.e. 
write permission bit in the segment 
descriptor) is equal to I and if EAR lies in 

30 the range of OsEARsWR then a write 
operation may be performed into the 
segment. Note that UMR logic 505 may 
have inputs directly or indirectly from all 
registers 501 — 504, from other logic 506, 

35 507 and also from UBS logic 606. 

UWV logic 506 corresponds to the detail 
logic of Figure 8a. UWV logic 506 has 
inputs directly or indirectly from registers 
501—504 and from logic 505, 507 

40 respectively and generates an execute 
violation signal when a comparison of UW, 
UM and UV registers 504, 502, and 503 
respectively indicates that the statements 
that the maximum ring number MAXR is 

45 greater or equal to the effective address 
ring number EAR, and that EAR is greater 
or equal to the write ring number WR are 
not true i.e. in order for a procedure to be 
able to execute in a given segment 

50 indicated by the effective address the 
maximum ring number MAXR must be 
greater or equal to the effective address 
ring number and the effective address ring 
number EAR must be equal or greateT than 

55 the write ring number WR. UWV logic 506 
also performs tests shown in block 510. 
Indications may be given that the contents 
of UW register is less than or equal to the 
contents of the UV register; the contents of 

60 the UM register is greater than or equal to 
the contents of the UV register; the 
contents of the UV register is equal to the 
contents of the UM register; the contents of 
the UV register is greater or equal to the 

65 contents of the UM register; and the 



contents of the UM register is greater than 
the contents of the UW register. Of course 
when performing these tests different 
values of ring numbers may occupy the 
registers. 70 

UEP logic 507 corresponds to the detail 
logic of Figure 8b. UEP logic 507 in 
combination with UWV logic 506 generates 
the read violation exception. However the 
read violation exception may be overridden 75 
if the effective address ring number EAR 
equals the current process ring number 
PRN, since a procedure is always permitted 
to read its own segment, and if the segment 
number of the procedure segment 80 
descriptor (not shown herein) and the 
segment number of the address syllable 
utilized in generation of the effective 
address are the same. 

To illustrate the overriding of the read 85 
violation signal assume that the effective 
address read number EAR is greater than 
the read number RD which would generate 
a read violation high signal which would be 
applied as one input of AND gate 522. 90 
However the read violation exception 
signal may not be generated even though 
there is a read violation signal if the 
following two conditions exists: 

1. The effective address ring number 95 
EAR is equal to the process ring number 
PRN; i.e. the contents of register UM is 
equal to the contents of the register UP; 
and. 

2. The segment number contained in die 100 
address syllable of the segment in which a 
procedure desires to read is equal to the 
segment number of the procedure segment 
descriptor (not shown) of the current 
procedure in execution and this is indicated I 05 
by setting a bit called a P bit and located as 

the thirteenth bit of UE register 650. (UE 
register 650 is a store for the contents of 
UAS associator 609 when a "hit" has 
resulted by a comparison of the contents of 1 10 
US register 607). Since this example 
assumes that EAR equals PRN, UEP logic 
507 will apply a high signal to AND gate 520 
as one input, and since it is also assumed 
that the segment number SEG of the [|5 
address syllable of the segment being 
addressed is equal to the segment number 
SEG of the procedure segment descriptor 
(not shown) of the currently executing 
procedure, then the P bit of the procedure 120 
segment descriptor will be set and hence 
the other input applied to AND gate 520 
will be high thus enabling AND gate 520; a 
high signal is therefore applied to the input 
of inverter 521 resulting in a low signal at |25 
the output of inverter 521 which low signal 
is then applied as another input of AND 
gate 522. Since there is a low signal to AND 
gate 522 no read violation exception signal 
can be generated by amplifier 523 even if J3Q 
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the third input signal applied to AND gate 
522 is high. 

To illustrate how a read violation signal is 
generated and not overridden, assume that 
5 the output of UEP logic 507 indicates that 
the contents of UM register is not equal to 
the contents of UP register. Then that input 
to AND gate 520 would be low and hence 
AND gate 520 would not be enabled and its 

[0 output would be low and would be applied 
to the input of inverter 521. Since the input 
of inverter 521 is low its output would be 
high which would be applied as one input of 
AND gate 522. If also the effective address 

15 ring number EAR is greater than the read 
rin| number RD (i.e. contents of UM 
register is greater than contents of UW 
register) that signal would be high and 
would be also applied to another input of 

20 AND gate 522. AND gate 522 has still a 
third input which must also be high in order 
to enable AND gate 522. This third input is 
high when AND gate 526 is enabled. Since 
AND gate 526 has one input terminal which 

25 is high when the 00 terminal of URVIF flop 
524 is low, AND gate 526 is enabled by 
applying the micro-operation read 
violation interrogate signal AJERVA to 
one input terminal of AND gate 526 while 

30 the 00 terminal of URVIF flop 524 is low. 
Thus AND gate 522 will have all input 
terminals high, generating the read 
violation exception signal. 
The execute violation exception is 

35 generated in two ways. It was seen earlier 
that an execute violation signal results 
when UVW logic 506 indicates that the 
inequalities WR is less than or equal to 
EAR, and EAR is less than or equal to 

40 MAXR are not true. This high execute 
violation signal is applied to a one-legged 
AND gate 550 which in turn is applied to 
the input terminal of two-legged AND gate 
553 via amplifier 552. When an execute 

45 violation interrogate micro-operation signal 
AJEEVA is applied as another input of two- 
legged AND gate 553, this gate is enabled 
which in turn generates the execute 
violation exception via amplifier 554. The 

50 other method by which the execute 
violation exception is generated by the 
execute violation hardware 51 1 is when the 
execute permission bit EP is not set. When 
this condition is true it is indicated by the 

55 seventh bit of UY register 613 being high; 
this bit is then applied to the input terminal 
of one-iegged AND gate 551 which is 
applied as a high signal to one input 
terminal of AND gate 553 via amplifier 552. 

60 When the execute violation interrogate 
micro-operation signal AJEEVA goes high, 
AND gate 553 is enabled and generates an 
execute violation exception via amplifier 
554. 

65 The write violation exception is also 



generated in two ways. It was seen 
previously how the UM R logic 505 
generates a write violation signal when 
EAR is greater than WR. This write 
violation signal is applied to one input 70 
terminal of AND gate 545. AND gate 545 is 
enabled when its second input terminal 
goes high thus generating a write violation 
exception through amplifier 547. The 
second input terminal of AND gate 545 75 
goes high when AND gate 542 is enabled* 
AND gate 542 is enabled when the input 
signals applied to its input terminals are 
high. One input signal is high when UWVIF 
flop 541 is low which in turn applies a low 80 
signal to the input terminal of inverter 543 
which in turn applies a high signal to one 
input terminal of AND gate 542; the other 
input signal is high when the write violation 
interrogate micro-op signal AJEWVA is 85 
high and this happens when it is desired to 
interrogate a procedure for the write 
violation exception. (Flip-flops URVIF, 
URN 1 F, and U WV I Fare set low when any 
interrupts or soft ward occurs). (UWV2F, 90 
URV2F, and URN2F flip-flops arc utilized 
to store back-up excess checking - 
information for ring checking). The other 
method for generating a write violation 
exception is when the write permission bit 95 
WP is not set. This condition is indicated by 
bit 6 of UV register 613 being high. When 
this condition exists and the high signal (i.e. 
the sixth bit of UV register) is applied as one 
input of AND gale 546 and the interrogate 100 
signal 

AJEWVA is high and applied as 
another input of AND gate 546, then AND 
gate 546 is enabled and a write violation 
exception occurs via amplifier 547. 105 

Logic circuitry 591 comprised of flip- 
flops 532 and 533 in conjunction with 
amplifier 530 and AND gate 531 and 
inverter 530A permit the formation in 
register UM 502 of the maximum value of 1 10 
ring number (i.e. EAR) under control of a 
splatter instruction subcommand (not 
described herein) from the instruction fetch 
unit IFU. Assuming URN IF flip-flop 532 is 
set to logical 0 whereas URN2F flip-flop 115 
533 is set to logical 1, then during the 
execution of the splatter subcommand, 
input terminal 531 A of AND gate 531 will 
be high; therefore if flip-flop 532 is low 
(logical 0) then the signal will be inverted by 1 20 
inverter 530A and AND gate 531 will be 
enabled. Hence the maximum value of the 
contents of UP register 501 or bits 2 and 3 
of logic vector UBS 606 will be strobed into 
UM register 502. Conversely if flip-flop 532 125 
is a logical U then the contents of UM 
register 502 is not changed via the above 
mentioned sources and the EAR derived in 
UM register 502 via the addressing process 
of indirection is the one utilized. Flip-flop 130 
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533 is the back-up store For the EAR of The code for the control signals are 

address-syllable 2 when utilized. previously described in detail and is 

Referring now to Figures 7 and 8 and summarized here. Briefly the first two 

Figure 5 there is a correspondence wherein characters of a control signal indicate the 

5 the detailed logic for hardware in Figure 5 destination of data to be transferred; the 70 

is shown in Figures 7 and 8 as follows: third character indicates whether a full or 

Figure 7a and UW register 504; Figure 7b partial transfer is to be effected with the 

and UV register 503; Figure 7c and block letter F indicating full transfer and any 

590; Figure 7d and block 591; Figure 7e and other character indicating a partial 

10 block 592; Figure 7f and UP register 501; transfer; the fourth and fifth character 75 

Figure 7g and UO register 512; Figure 7h indicates the source of the data, and if the 

and UM register 502; Figure 8a and UWV source is identiFied by more than two letters 

logic 506; Figure 8b and UEP logic 507; and only the last two letters need be used; the 

Figure 8d and UMR logic 505. sixth and seventh characters are usually 

15 Referring to Figure 7a, the UW register numerals and indicate whether the signal is 80 

504 is comprised of two flip-flops 715a and high or low i.e. an odd numeral in the sixth 

720a respectively, each flip-flop capable of position indicates assertion and an even 

holding one bit of information of the UW numeral in the sixth position indicates 

register. Coupled to flip-flop 715a are 4 negation; the seventh position indicates 

20 AND gates 711a— 714a which are OR'ed whether this is the first, second, third, etc. 85 

together, with each gate (except gate 713a) level of occurrence of the signal. Data, on 

having two input terminals, and with at the other hand, is indicated differently. The 

least one signal applied to each input first three characters of data indicates the 

terminal. AND gate 714a has one of hs source of the data, the fourth and fifth 

25 input terminals coupled to the set terminal characters which may be numerals indicate 90 

OW000I0 of the flip-flop 715a. Flip-flop the bit positions where the data is located m 

71 5a is also coupled to the terminal YiJJ for the source, and the sixth and seventh 

receiving from a clock a timing signal called position are similar to the control signals in 

a PDA signal. Flip-flop 720a coupled to that they indicate whether the signalis high 

30 AND gates 716a— 7 19a which are OR'ed or low and the level of occurrence of the 95 

together. One input terminal of AND gate signal. Generally the format itself indicates 

716a is coupled to an input terminal of whether the signal is a control signal or a 

AND gate 711a; one input terminal of AND data signal and by reference to Figures 5 

gate 717a is coupled to one input terminal And 6 the source and destination may be 

35 of AND gate 712a and one input terminal of determined. There are exceptions to this 100 

AND gate 719a is coupled to an input general rule and they will be spelled out in 

terminal of AND gate 714a, whereas the the specification, and addenum. 

other input terminal of AND gate 719a is As an example of this convention it will 

coupled to the set terminal UW001 10 of the be noted on Figure 7a that the following 

40 flip-flop 720a. Rip-flop 720a is also coupled signals arc control signals: UWFAB11, 105 

to the H27 terminal for receiving PDA UWFAB10, UW9QA10. The following 

pulses. signals arc data signals UAB3410, 

AND gates 701a~704a are OR'ed UAB3210, UAB3510, UAB3310, QA001 10, 

together each having their output terminal and QA00010. The following signals are 

45 coupled to the input terminal of inverter exception PDARG10 is a timing signal 110 

705a. AND gate 706a is coupled to whose source is the PDA clock; 

amplifier 708a; whereas AND gate 707a is UWHOL10 is a hold signal for holding the 

coupled to amplifier 709a; one input information in the flip-flops 715a and 720a 

.terminal of AND gate 706a is coupled to UW0BKI0 and UW1BKJ0 are back-up 

50 one input terminal of AND gate 707a. The logic whose main function is to extend the 115 

output terminal of inverter 705a is coupled input capability of flip-flops 715a and 720a 

to one input terminal of AND gate 714a and by connecting the UW register which is in 

719a; the output terminal of amplifier 708a fact formed by flip-flops 715a and 720a, to 

is coupled to the input terminal of AND bh zero and bit 1 represented by flip-flops 

55 gate 7 1 3a and the output terminal of 715a and 720a respectively; and finally 120 

amplifier 709a is coupled to the input USCLR10 is the clear signal for clearing 

terminal of AND gate 718a. and setting the flip-flops to zero. 

The signals applied to the inputs of AND As an illustration of the above mentioned 

gates and the signals derived as outputs convention herein adopted the signal 

60 From amplifier, inverters, or flip-flops are UWFABll applied to the input of one- 125 

designated by letters forming a special legged AND gate 702a is a control signal 

code. Since both data signals and control which transfers data (bits 34 and 35) 

signals are either applied or derived there contained in UAB associator buffer 611 

are two codes, one code for the control (the U in the signal has been omitted) to 

65 signals and one code for the data signals. UW register 504 and is a full transfer to the 130 
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UW register 1; the odd number indicates 
the signal is assertion. Signal UWFABIO 
applied to the input of one-legged AND 
gate 703a is a control signal with the same 
5 source and destination as the signal applied 
to AND gate 702a except that bus 32 and 33 
of UAB are transferred to UW register. The 
signal UW9QA10 applied to one-legged 
AND gate 704a is also a control signal 

10, wherein data is transferred from QA bus 
614 to the UW register and may be a partial 
transfer. The signal QA00010 applied to 
AND gate 706a is a data signal where data 
is on QA bus 614 (the third position is not 

15 herein utilized since the first two positions 
adequately describe where the data is) and 
this data signal represents the bh identified 
as 00 on QA bus 614. The signal QA001 10 is 
similar to the previous signal except the 

20 data identified by this signal is the data on 
position 01 of the QA bus 614. Thus by 
utilizing this convention and Figures 5 
through 9 the ring protection hardware is 
fully defined and may be easily built by a 

25 person of ordinary skill in the computer art. 
Referring to Figure 7b there is shown the 
detailed logic block diagram for UV register 
503. Signal UVH0L10 is a hold signal for 
UV register 503 which is generated via 

30 inverter 703b when none of the one-legged 
AND gates 701b— 708b has a high signal 
applied to it. UVH0L10 signal is applied to 
AND gate 723b and causes information 
stored in the UV register 503 to be held 

35 therein. Signal UVH0L1E coupled to the 
input of AND gate 704b and to the outputs 
of AND gates 705b— 708b extends the 
number of control signals that may 
generate the hold signal UVHOL10. Signal 

40 UV0BKI0 coupled to the outputs of AND 
gates 710b— 713b and to the input of AND 
gate 722b is also utilized to extend the 
number of inputs signals that may be 
applied to flip-flop 724b. Signal 
45 UVIBK10 coupled to the outputs of AND 
gates 716b — 718b and to the input of AND 
gate 727b similarly extends the number of 
input signals that may be applied to flip-flop 
729b. 

50 Referring now to Figure 7g there is 
shown the detailed logic block diagram of 
UO register 512. AND gates 70lg-~704g are 
OR'ed together and their output is applied 
as an input to inverter 705g. AND gates 

55 706$— 709g are also OR'ed together and 
their outputs are coupled to flip-flop 710g. 
Also one input of AND gate 709g is coupled 
to the UO000IO terminal of flip-flop 71Qg. 
AND gates 71 tg — 714g are also OR'ed 

60 together and are similarly coupled to flip* 
flop 715g. It will be noted also that an input 
of AND gate 706g is coupled to an input of 
AND gate 71 Ig; an input of AND gate 707g 
is coupled to an input of AND gate 712g 

65 and an input of AND gate 709g is coupled 



to an input of AND gate 7l4g. The 
UOH0L10 signal generated by inverter 
705g is also coupled to an input of AND 
gate 709g and 714g and is utilized to hold 
information in the UO register 512. XOO 70 
represents a ground, whereas XNU means 
unused input. 

Figure 7f is a detailed logic block 
diagram of UP register 501. It is similar to 
Figure 7g described supra except that 75 
different signals from different destinations 
and different sources are applied. 

Referring now to Figure 7h there is 
shown the detailed logic block diagram of 
UM register 502. AND gate 70lh— -704b are 80 
OR'ed together to produce the UMH0LI0 
hold signal via inverter 705h. AND gates 
706h— 709h are OR'ed together and are 
coupled to the input of AND gate 704h in 
order to extend the range of signals that 85 
may be applied to produce the UMHOL10 
hold signal. Similarly AND gates 
71 Ih — 714h are OR'ed together and 
coupled to the input of AND gate 723b in 
order to extend the range of signals that 90 
may be applied to flip-flop 730h; and also 
AND gates 7 16h— 71% are OR*ed together 
and are coupled to the input of AND gate 
727h in order to extend the range of signals 
applied to flip-flop 73 Ih. A line 7406 for 95 
applying the PDA signals to flip-flop 730h 
and 73 1 h is coupled at point 734h and 735h 
respectively. The input of AND gate 703h is 
also expanded to provide two further inputs 
URN1F00 and IRNUM10 by coupling the 100 
output of amplifier 733h to the input of 
AND gate 703b. 

Referring now to Figures 7c — 7e there is 
shown detailed logic block diagrams of 
write exception control logic 590, IFU 105 
subcommand control logic 591, and read 
violation exception control logic 592 
respectively. Referring first to Figure 7c 
there is shown flip-flops 705c and 710c 
which correspond to flip-flops 541 and 540 1 10 
respectively. Under a micro-operation 
URW2F10 subcommand the information in 
flip-flop 710c is transferred to flip-flop 
705c. The UWVIH10 hold signal is utilized 
to hold the information transferred to flip- 1 15 
flop 710c, whereas the UWV2H10 signal is 
utilized to hold the information transferred 
to flip-flop 705c. Similarly in Figure 7d 
information is transferred from flip-flop 
710d to flip-flop 705d under micro- 120 
operation signal URNSW10, and in Figure 
7e information from flip-flop 710e is 
transferred to flip-flop 709e under control 
of micro-operation signal URW2F10. 

Referring now to Figures 8a, 8b and 8d 125 
there is shown detailed logic block 
diagrams of UWV logic 506, UWEP logic 
507, and UMR logic 505 respectively. 
Referring first to Figure 8a there is shown 
logic for generating a high signal when one 1 30 
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of Ihc test conditions 510 is true and also for 
generating the execute violation signal 
when the contents of UW register is less 
than or equal to the contents of UM 

5 register is less than or equal to the contents 
of UV register is not true. When the signal 
UWLEV10 is generated it indicates that the 
contents of UW register 504 is less than or 
equal to the contents of UV register 503. 

10 The logic for generating this signal was 
derived pursuant to the following Boolean 
expression: 



X l= CBCD)+(ABT5)x(AC} 

Where X t represents the output of 
1 5 amplifier 805a and the various letters of the 
expression represent different input 
terminals of AND gates 801a— 804a. 

An indication that the contents of UV 
register 503 is greater than or equal to the 
20 contents of UM register 502 is had when 
UVGEM10 signal is generated. This signal 
is generated via inverter 820a in response to 
various inputs on AND gates 816a — 819a 
which are OR'ed together and coupled to 
25 the input of inverter 820a. The logic for 
generating the UVGEM10 signal is made 
pursuant to the following Boolean 
expression: 



XjKBCDMABDMAC) 

30 An indication that the contents of UM 
register 502 is greater than or equal to the 
contents of UV register 503 is indicated by 

f enerating signal UMGEV10 via inverter 
10a in response to the various inputs of 
35 AND gates 806a— 809a which are OR'ed 
together. The logic for generating this 
signal is derived from the following 
Boolean expression: 



xmbCCwabBmaq 

40 (Wherein X, is the generated output 
signal). 

Similarly the UVEQM10 signal is 
generated pursuant to the following 
Boolean expression: 



45 X 4 =(AC)+(AC)+(B D)+(BD) 

Generation of the UVEQUM10 signal 
indicates that the contents of the UV 
reeistcr 503 is equal to the contents of the 
UM register 502. 

50 The generation of the UMGEW10 signal 
indicates that the contents of the UM 
register 502 is greater or equal to the 
contents of the UW register 504 and is 
generated pursuant to logic having the 

55 following Boolean expression: 



X5=(BCD)+(abI5)+(ac) 

Generation of the UMGTW10 signal 
indicates that the contents of UM register 
502 is greater than the contents of UW 
register 504 and this signal is generated by 60 
logic defined by the following Boolean 
expression: 

x<habB}+Q;bB+a) 

The generation of the UWGMV00 signal 
indicates that the contents of UW register 65 
less than or equal to the contents of UM 
register less than or equal to the contents of 
UV register is not true. It is obtained when 
the UVGEMI0 signal indicating that the 
contents of UV register is greater than or 70 
equal to the contents of the UM register, 
and the UMGEW10 signal indicating that 
the contents of the UM register is greater 
than or equal to the contents of the UW 
register are both high. 75 

Referring now to Ftgure 8b a UMEQP10 
signal is generated by logic derived from 
the following Boolean expression: 

Xr=<Ar>HAC)+(Bl3>+{BD) 

When this signal is high it indicates that 80 
the contents of UM register 502 is greater 
than the contents of UP register 501. 

Referring to Figure 8d there is shown the 
detailed logic block diagram for performing 
the operations of UMR logic 505 shown on 85 
Figure 5. One of the operations of this logic 
is to determine the maximum value of the 
contents of UP register 501 and of bits 2 and 
3 of UBS logic 606. In order to do this there 
must be an indication whether contents of 90 
UP is less than the contents of UBS or the 
contents of UP is greater than the contents 
of UBS. The generation of UPBEB 10 signal 
indicates that the contents of UP register 
501 is less than or equal to bits 2 and 3 of 95 
UBS logic 606; whereas the generation 
signal UPGTB 10 indicates that the contents 
of UP register 501 is greater than bits 2 and 
3 of UBS logic 606. These signals are 
generated by logic which has been defined 100 
by the following Boolean expression: 

X«=(BCD)+(ABDK(AC) 

Where X g is the output of inverter 805d 
and the letters of the expression are various 
inputs of the AND gates 801 d— 803d. 105 

To illustrate how the maximum value of 
the contents of UP register and UBS logic 
may be determined by the output signals 
UMPBOlOand UMPB 1 10 of amplifier 8 14d 
and 817d respectively, assume first that the 1 10 
contents of register UP are less than or 
equal to bits 2 and 3 of UBS logic because 
bit 2 is I and bit 3 is I whereas UB register 
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contains 01. This is indicated by the signal 
UPLEB10 being hi|h and the signal 
UPGTBIO being low since it is the inverse 
of signals UPLElBIO. This high UPLEB10 
5 signal is applied to one input of AND gate 
813d and also one input or. AND gate 806d. 
If bit 2 of UBS logic is a i as indicated by 
signal UBS02I0 then AND gate 813d is 
enabled and signal UMPBOlOgoes high and 

iO indicates that bit 2 on UBS logic is a I. 
Moreover if bit 3 of UBS logic is a 1 
indicated by input signaJ UBS0310 being 
applied as another input of AND gate 8l6d 
then AND gate 816d is enabled and signal 

15 UMPB1 10 is high or a I. Therefore under 
the assumed conditions where bits (2, 3) 
UBS logic is greater or equal to the 
contents of UP register the maximum value 
of the two quantities is in UBS, and its 

20 number is binary 1 1 or decimal 4. Hence it 
is seen how a comparison is first made to 
determine which hardware contains the 
maximum, and then a determination is 
made as to the value of that maximum. By 

25 similar analysis one may see how the value 
of the UP register may be determined by 
signals UMPB010 and signals UMPB1I0 
when the contents of UP register is greater 
than the second and third bit of UBS logic. 

30 Similarly the maximum value of UM 
register 502 or UV register 503 may be 
determined by signals UVGEM10 and 
UMCTV10 respectively, when UV register 
503 is greater than or equal to UM register 

35 502, and conversely when UM register 502 
is greater than UV register 503. 

Referring now to Figures 9a— 9i a legend 
of symbols utilized in Figures 7 and 8 is 
shown. Figure 9a shows the symbol when 

40 there is a connection internally within the 
logic board. Figure 9b illustrates an output 
pin connection. Figure 9c indicates an 
input pin connection and is generally a 
source outside of the logic board 

45 illustrated. Figure 9d is the symbol utilized 
for an AND gate. Figure 9e is the symbol 
utilized for an amplifier; whereas Figure 9f 
is the symbol utilized for an inverter. Figure 
9g illustrates three AND gates 901g — 903g 

50 that are OR'ed together thus causing 
output 904g to go high when any one of 
AND gates 901g— 903g is high. Figure 9h 
shows the symbol of a flip-flop having a 00 
reset terminal and a 10 set terminal. A PDA 

55 line supplies the clock pulse for causing the 
flip-flop to switch states when other 
conditions are present on the flip-flop. 
Figu re 9i rep resents a m icro-operation 
control signal. 

60 In order to enforce the ring protection 
scheme between procedures executing in 
different rings, the invention employs push- 
down stacks for its procedure linkage 
mechanism wherein a portion of each stack 

65 called a stack frame is dynamically 



allocated to each procedure. Different 
stack segments are used for each ring with 
one stack segment corresponding to one 
ring. Thus when a procedure is executed in 
ring RN its stack frame is located in the RN 70 
stack segment. Referring to Figure 10 there 
is shown three stack segments 1001 — 1003, 
with each stack segment having stack 
frames SI — S3 respectively. Ring 3 is 
assigned to stack segment 1001, ring 1 75 
assigned to stack segment 1002 and ring 0 is 
assigned to stack segment 1003. Within 
each stack segment there is a procedure 1 1 
associated with stack frame SI of segment 
1001, a procedure P2 associated with stack 80 
frame S2 of stack segment 1002 and a 
procedure P3 associated with stack frame 
S3 of stack segment 1003. The segmented 
addresses (i.e. segment number and 
segment relative address SEG, SRA) of the 85 
first bytes of the stack segments for rings 0 ( 
I and 2 respectively are located in stack 
base words SBWO — SBW2 respectively 
which are in turn located in process control 
block 104. Since the ring 3 stack segment 90 
can never be entered by an inward call (i.e. 
from a ring higher than ring 3) its stack 
starting address is not needed. Each stack 
frame S 1 1 S2, S3 is divided into a working 
area 1005, 1006, 1007 respectively; an 95 
unused portion 1008, 1009, 1010, which is 
utilized for alignment purposes; a register 
saving area 1011, 1012. and 1013; and a 
communication area 1014, 1015, and 1016 
respectively. The working area is utilized by 100 
its procedure as needed and may contain 
material required by the process such as 
focaJ variables, etc. The saving area of the 
stack frame is utilized to save the contents 
of various registers such as the status 105 
register, the T-register and the instruction 
counter contents ICC. The 
communications area stores information 
which is needed to pass parameters 
between procedures. Prior to a call to a 110 
given procedure the user saves those 
registers he wishes saved and moreover 
loads into the communication area the 
parameters to be passed to the called 
procedure. When the call is made, the 115 
hardware saves the contents of the 
instruction counter and other specified 
registers to facilitate a return from the 
called procedure. Each procedure call 
creates a stack frame within a stack 120 
segment and subsequent procedure calls 
create additional frames. Hence a stack is 
created and consists of a number of 
contiguous parts called stack frames which 
are dynamically allocated to each 125 
procedure. These stacks reside in stack 
segments. Generally the first stack frame is 
loaded into the beginning of the segment 
and succeeding frames are loaded after it. 
The last frame loaded is considered the top 1 30 
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of ihe slack. A T-register 114 on Figure 1, 
locates the top of the stack for the currently 
active process* A procedure such as for 
example P I which is executing in ring 3 may 

5 call a procedure P2 executing in ring I 
which in turn calls a procedure P3 which is 
now executing in ring 0. As each procedure 
is called it creates within its ring stack 
segment a stack frame (i.e. defining the 

10 environment for the procedure execution) 
and the T-register 1 14 is loaded which gives 
the address of the top of the stack for the 
current active process. The procedure PI 
(as previously assumed) may call procedure 

1 5 P2 which in turn may call procedure P3 and 
since these calls are from a higher ring 
number to a lower ring number a ring 
crossing entailing an inward call is required 
and is accomplished in a manner to be 

20 described infra. During each change of 
procedure the necessary registers and 
parameters are saved in order to facilitate a 
return from the called procedure. 

A procedure is always accessed through a 

25 procedure descriptor It 10 by means of the 
ENTER PROCEDURE INSTRUCTIONS. 
The format of the ENTER PROCEDURE 
INSTRUCTION 1 100 is shown on Figure 
11a. The operation code (OP) 1101 

30 occupies bit positions 0 through 7. The 
complementary code 31 02 is a one bit code 
and occupies bit position 8 to 9; if the 
complementary code is set to logical 1 the 
instruction is ENT, whereas if the 

35 complementary code is logical 0 the 
instruction is ENTSR and the base register 
must be base register 0 (BRO). The address 
syllable AS 1 104 occupies bit positions 12 
thru 31 and provides the address syllable 

40 AS of the procedure descriptor 1 1 10. When 
an ENTER PROCEDURE 
INSTRUCTION requires a ring crossing a 
gating procedure descriptor 1120 is 
obligatorily accessed. This is indicated by 

45 the GS field 1302 of segment descriptor 
1301 being set to logical 10. Generally the 
GS field is set to 10 when one of the 
ENTER PROCEDURE INSTRUCTIONS 
is utilized. As described in the application 

50 No. 21630/76, Serial No. 1,465.344, the 
segment descriptor is utilized to point to the 
base of the segment desired, in this instance 
the segment 1300 containing gate 
procedure descriptors GPD 1 120. The first 

55 word of the segment 1300 containing the 
gating procedure descriptors (GPD's) is 
formatted as shoxvn in Figure 11c. The 
TAG 1121 occupies bit positions 0 and 1 
and must indicate a fault descriptor i.e. the 

60 TAG field must be set to logical 11. The 
Caller's Maximum Rin$ Number CMRN 
1122 occupies bit positions 2 and 3, and 
indicates the maximum ring from which a 
calling procedure through the gated 

65 procedure descriptor GPD is legal. A call 



violation exception is generated if the 
caller s ring number is greater than CMRN 
1 122. The gated procedure descriptor 
address boundary GPDAB 1124 occupies 
bit positions 10 through 31 and it must be 70 
greater than the segment relative address 
SRA (i.e. the GPDs displacement in the 
segment of procedure descriptors 1300), 
otherwise an illegal GPD access exception 
occurs. Thus a gating procedure descriptor 75 
GPD is utilized as the first word of the 
segment containing procedure descriptors 
and is utilized to determine whether the 
caller has a right to access the segment via 
the caller's maximum ring number CMRN 80 • 
and whether or not the procedure 
descriptor called is within the gating 
procedure descriptor's address boundary. 
Once it is determined that there is a legal - 
call to the segment and the caller has a right 85 
to enter the segment the address is obtained 
from the address syllable AS 1 104 of enter 
instruction 1 100 and the required 
procedure descriptor 1110 (see also Figure 
13) is accessed. The format of procedure 90 
descriptor 1 1 10 is shown on Figure I lb and 
is comprised of two 32 bit words— word 0 
and I respectively. Word 0 contains the 
segmented address 1113 of the entry point 
£P of the procedure desired. The 95 
segmented address, as is the case with the 
segmented address of any operand, is 
comprised of the segment number SEG and 
the segment relative address SRA. Word 0 
of die procedure descriptor includes an 100 
entry point ring number EPRN 1 1 12 and a 
TAG field 11 1 1. The value of the TAG is 
interpreted as follows: 

a. if the TAG contains logical 00 the 
procedure descriptor is direct; 105 

b. if the TAG is logical 01 the procedure 
descriptor is an extended descriptor and 
includes word 1 making a total of two 
words; 

c. if the TAG is logical 10 the procedure 1 10 
descriptor is indirect a,nd an illegal 
procedure descriptor exception occurs; and 

d. if the TAG is logical 1 1 it is a fault 
procedure descriptor and an exception 
occurs. 1 15 

Word I of the procedure descriptor is 32 
bits long and is utilized when the TAG 
indicates an extended descriptor and 
contains the segmented address of a linkage 
section whose contents are loaded in base 120 
register BR 7 at procedure entry time. 

Referring to Figure 12 a portion of the 
ENT instruction is shown and more 
specifically that portion which pertains to 
the ring crossing and ring checking 125 
requirements. The ENT instruction is 
called, 1201 and a comparison is made 1202 
wherein the segmented part of the base 
register BRn is compared to the segmented 
part of the address of the T register, and if 1 30 
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they are not equal an illegal stack base 
register 1208 is indicated. U on the other 
hand they are equal another comparison 
1 203 is made wherein the 30th bit including 
5 the next two bits (i.e. bits 30 and 31) of base 
register, BRn is compared to 0 and if it is 
not equal to 0, then once again an illegal 
stack base register 1208 is indicated. If it is 
equal to 0 it indicates that the contents of 

10 BKn is aligned with respect to the word 
boundary and another comparison 1204 is 
performed to determine that the TAG of 
BRn (i.e. the two bits starting from bit 0) is 
equal to 0. A TAG having a logical 0 

15 indicates information is accessed via a 
direct descriptor which is one of the 
requirements of the ENT instruction. If the 
TAG (i.e. bits 0 and I of BRn) is equal to 0 
then the functions stated in flow charts of 

20 Figures 14 through 16 are performed (see 
flow chart Figure 12 block 1205). If these 
meet the necessary requirements a further 
check 1206 is made to determine whether 
the segment relative address of the entry 

25 point which was given (SRA^) is even, 
because instructions start on a half-word 
boundary. If it is not even then an illegal 
branch address exception is generated 1209 
however if it is legal the ENT instruction is 

30 executed 1207 via further steps not shown. 
Referring now to the flow charts of the 
access checking mechanism Figures 
14 — 16, generally the following operations 
are performed each time the instruction 

35 ENTER PROCEDURE is issued; 

a. the caller's right to call the callee is 
checked by first determining from the 
second word of the segment descriptor the 
call bracket in which the caller is executing. 
40 (The call bracket is determined by taking 
the minimum ring number from the write 
ring number field WR and the maximum 
ring number from the maximum ring 
number Held MAXR). 

45 b. a decision is made about the next 
process ring number by determining 
whether the caller is in the same call 
bracket as the callee, which implies don't 
do anything; whether the caller ts in a call 

50 bracket requiring that he make an outward 
call in which case an exception condition is 
generated which is handled by a mechanism 
not described herein; or finally whether the 
caller is in a call bracket which requires an 

55 inward call (i.e. going to a call bracket 
which requires ring crossing from a 
larger ring number to a smaller 
ring number in which case the 
ring crossing must be at a valid entry 

60 point EP and the entry point must be 
validated). 

c. a stack frame is created for the callee 
(i.e. space in the aforementioned format of 
the appropriate segment is allocated), and 



the stack frame and the stack frame ^5 
registers arc updated; 

d. a branch to the entry point of the 
procedure pointed to by the procedure 
descriptor is performed. 

Referring now to Figure 14 the access 70 
checking is started 1401 by obtaining the 
address syllable AS containing the effective 
address ring number EAR, the segment 
number of the procedure descriptor SEG ro , 
and the segment relative address of the . 75 
procedure descriptor SRA PD . Having 
developed this information the procedure 
descriptor 1110 is fetched 1403 from 
(SEGpp, SRA ro ) ignoring access rights to 
scratch pad memory. The procedure 80 
descriptor 1 1 10 will yield the TAG which 
determines whether the descriptor is direct, 
extended, indirect, or a fault descriptor; the 
entry point ring number EPRN; the 
segment (SRA^) which contains the entry 85 
point and the segment relative address 
(SRA„) of the entry point. The TAG is 
tested 1404 to determine whether the 
descriptor 11 10 is direct, extended, indirect 
or a fault descriptor fay checking ks field in 90 
accordance to the code hereinbefore 
described. Only a direct or extended 
procedure descriptor is legal. An indirect or 
mult descriptor is illegal and upon access 
invokes an exception mechanism not herein 95 
described. Once it is determined that a legal 
procedure descriptor has been accessed the 
actual call right checking begins at point A 
1405. 

Referring now to Figure 15 and 100 
continuing from point A 1405 the maximum 
ring number MAXR, the write ring number 
WR, and the execute permission bit EP of 
the segment containing the entry points 
SEGsp arc fetched; this information is 105 
contained in the segment descriptor for the 
segment containing the entry points 
(SEGct). The write ring number WR is 
compared to the maximum ring number 
MAXR 1503 and if the write ring number 1 10 
WR is greater than the maximum ring 
number MAXR the segment is 
nonexecutable and an execute violation 
exception 1513 occurs. If the write ring 
number WR is less than or equal to the 115 
maximum ring number MAXR then the 
execute permission bit EP is compared to 
logical 1 and if the EP bit is not logical 1 
then once again an execute violation, 
exception 1513 occurs; however if the EP 120 
bit is equal to one the effective address ring 
number EAR of the calling procedure is 
maximized with EPRN to give a new 
EAR Jf — {MAX (EAR 4 EPRN)J where 
EAR, is the maximum of PRN as found in 125 
the instruction counter 1C, and all ring 
numbers in base registers and data 
descriptors, if any, found in the path which 
leads to the procedure descriptor. The 
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effective address ring number EAR 2 is then gated procedure descriptor access 
compared 1506 to the maximum ring exception 1614 occurs. However if it is 
number MAXR of the MAXR segment within the address boundary of the gated 
descriptor of SEGgp which is the maximum procedure descriptor (i.e. SRA^ is less 
5 ring number at which a procedure may than GPDAB) then the caller's right to call 70 
execute, if EAR 3 is greater than MAXR the the callee is checked 1608. This is 

procedure call is an inward call which performed by comparing the effective 

requires that the procedure be entered by a address ring number EAR. to the caller's 

valid entry point and the access checking maximum ring number CMRN 1122 as 

10 operation branch to point B 1507. The found in the first word 1 120 of the segment 75 

following checking operations are then of procedure descriptors 1300. If EAR 2 is 

performed: greater than the caller's CMRN a call 

a. the SEG W is checked to determine if violation exception 1615 occurs which 

it is a legal gate segment; and, indicates that the caller in this particular 

15 b. the caller's maximum ring number instance has no right to legally call inward 80 

CMRN is checked to determine if it is i.e. from a higher ring number to a lower 

greater than or equal to the effective ring number. On the other hand if EAR, is 

address ring number EAR of the caller. equal or less than CMRN, then the inward 

If these conditions are not true then an call is legal and a check is made 1609 to 

20 illegal gate segment exception 1603 or call determine that the process ring number 85 

violation exception 1615 occurs. PRN which is the current process ring 

Referring now to branch point B 1507 of number found in the instruction counter IC 

Figure 16 the first check 1602 that is made just before the call was made is less than the 

is to determine whether or not the maximum ring number MAXR of SEG & ; 

25 segment which contains the procedure and if h is the accessing mechanism 90 

descriptors is a gate segment This is done branches to point C 1508, otherwise a new 

by examining the Gating/Semaphore field process ring number NPRN is calculated 

GS of the segment descriptor pointing to and set to a maximum ring number MAXR 

the segment of procedure descriptors, to 1611. Generally the effective address ring 

30 determine if it is set to logical 10. If the GS number EAR 2 is the same as the process 95 

field of the segment descriptor of the ring number PRN of the caller. Sometimes 

segment containing procedure descriptors however, in cases where it is necessary to 

is set to 10 it is then a gate segment and the give maximum assurance that the caller will 

first word of the segment containing not be denied access to a given segment the 

35 procedure descriptors is a gated procedure EAR 2 is greater than the PRN. In those 100 

descriptor GPD 1120 of Figure I1C and cases 1 RN is forced to take the value of 

Figure 13. The first word 1 120 of the EAR 2 in order to make sure that the call is 

segment containing procedure descriptors returned to the maximum ring number 

is then fetched from address SEG^. 0 upon an exit To this point it will be noted 

40 ignoring access rights to scratch pad that this checking mechanism was invoked 105 

memory. It will be noted that the TAG field because the EAR } was greater than the 

of the first word 1 120 of the segment MAXR hence greater than the top of the 

containing procedure descriptor SEG«, call bracket of the procedure and hence an 

1300 must be a logical 11 (Figure 13) which inward call was necessary which 

45 indicates it is a fault descriptor. Moreover necessitated going through a valid gate, and 1 10 

the MBZ field must be set to zero. These the mechanism included these gating 

conditions are checked by checks. By branching back to C 1508 

hardware/firmware (arithmetic logic unit) (Figure 15) a further check 1509 is made to 

stop 1605 and if these conditions do not determine then that the process ring 

50 hold an illegal gate segment exception 1603 number PRN is greater than the write ring 115 

results. However if these conditions do hold number WR of SEG^ which in this context 

a check 1606 is further made to determine is the minimum ring number at which a 

that the segment relative address of the procedure may execute. If the write ring 

procedure descriptor SRApj, 1110 is a number WR is greater than the process ring 

55 multiple of 8. If the condition of step 1606 number PRN an outward call exception 120 

does not hold an illegal system object 1514 occurs. However if WR is less than or 

address exception 1613 results otherwise equal to PRN the call is legal and NPRN is 

the next step 1607 is performed. Step 1607 set to PRN 1510. 

checks to determine whether or not the Having made the above checks the 

60 segment relative address of the procedure inward call is made, and after performance 125 

descriptor SRAh, is within the address of the desired operation a return back to 

boundary GPDAB 1124 of the gated the original point of the program in 

procedure descriptor 1120; if it is not within execution is made by the EXIT 

that address boundary it is an illegal INSTRUCTION. During the ENTER 

65 procedure descriptor and an illegal GPD INSTRUCTION the instruction counter IC 130 
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was saved in the saving area of the caller's 
stack frame before making the call. 
Moreover the caller's ring number was also 
saved during the ENTER INSTRUCTION 
5 and this was saved in base register 0 BRO. 

The format of the EXIT INSTRUCTION 
1130 is shown on Figure 11D. The 
operation code OP 1131 is found in bit 
positions 0 — 7 and the complementary code 

10 C 1 133 is found in bit positions 12 — 15. The 
complementary code allows other 
instructions to use the same ft bit op code. 
The MBZ field 1132 in bit positions 8 — 11 
must be 0 otherwise an illegal format field 

15 exception occurs. (BRO is generally a 
pointer to the communications area of the 
caller's stack frame). 

In performing the EXIT INSTRUCTION 
it is necessary to perform predetermined 

20 checks in order to ascertain that the caller 
didn't change his image which would 
permit him to operate a a different privilege 
than was intended. Referring to Figure 17 
the first check performed 1701 is to 

25 determine if the TAG of the instruction 
counter content (ICC) indicates a direct 
descriptor. A logical 00 in the TAG field 
indicates that h is direct if it is not an illegal 
stack data exception 1702 occurs, whereas 

30 if it is equal to 0 the ring field in the 
instruction counter content ICC is set to 
the new process ring number NPRN 1703. 
This sets the new process ring number 
NPRN to what it used to be when the call 

35 was first made. However further checks are 
made in order to ascertain that there was no 
further cheating. Hence the base register 0 
ring number located at bit position 2 and 
extending for 2 bit positions from and 

40 including bit position 2 must be equal to the 
new process ring number NPRN 1704. (It 
will be recalled that when the ENTER 
INSTRUCTION was called the ring 
number of the caller before the call was 

45 made was stored in bits 2 and 3 of base 
register 0 (BRO). If check 1704 indicates that 
the new process ring number NPRN is not 



equal to the ring number in bit positions 2 
and 3 of the base register 0 (B RO) an illegal 
stack data exception 1702 occurs. The next 50 
check 1705 determines whether an inward 
or an outward return must be performed. 
Since an inward call was previously 
performed an outward return is implied in 
order to reach the original point from 55 
which the procedure was called. Moreover 
since the invention does not permit an 
outward call there is never a necessity to 
return inward. Hence the new process ring 
number NPRN is compared to the process 50 
ring number PRN 1705, and if NPRN is less 
than PRN an inward return is implied and 
an inward return exception 1706 is 
generated. However if check 1705 is passed 
successfully (Le. NPRN is greater or equal 65 
to PRN) then a check is made to determine 
that a return is made to the segmented 
address SEGr that called the procedure and 
a return to the call bracket of the calling 
procedure is made and moreover that the 70 
execute bit EP is set This is performed by 
fetching the segment descriptor SEGr of 
the calling procedure 1707 and making 
checks 1709, 1711, 1712. In performing 
checks 1709. 1711, 1712, check 1709 and 75 
17] 1 determine that the new process ring 
number NPRN is greater than the minimum 
ring number WR bat less than the 
maximum ring number MAXR (Le. that the 
ring number is in the call bracket of the go 
calling procedure where it should be). 
Finally check 1712 makes sure that the 
execute permission bit EP is set to I. Thus a 
full cycle is concluded a call was performed 
via an ENTER INSTRUCTION; the 35 
required operation or processing was 
performed via the called procedure; then a 
return via an EXIT INSTRUCTION to the 
calling procedure was performed. 

Having shown and described the 90 
preferred embodiment of the invention, 
those skilled in the art will realize that many 
variations of modifications can be made to 
produce the described invention and still be 
within the scope of the claimed invention, 95 



Glossary of Terms 

JOB — The job is the major unit of work for the batch user. It is the vehicle for 

describing, scheduling, and accounting for work he wants done. 
JOB STEP— A smaller unit of batch work. It is general! v one step in the execution 
-r v of a ^ ob consistin £ of processing that logically belongs together. 
TASK — The smallest unit of user-defined work. No user-visible concurrency of 

ooeration is permitted within a task. 
PROGRAM — A set of algorithms written by a programmer to furnish the 
^ ~^J£ ro JEi dura * information necessary to do a job or a part of a job. 
105 PROCESS GROUP PLEX— The system's internal representation of a specific 
execution of a job. 

PROCESS GROUP — A related set of processes, usually those necessary for 

performance of a single job step. 
PROCESS— The controlled execution of instructions without concurrency. Its 
1 10 physical representation and control are determined by internal system 

design or convention. 
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Glossary of Terms (cont) 
PROCEDURE — A named software function or algorithm which is executable by 
a computational processor without concurrency. Its physical 
representation (code plus associated information, invocation, and use 
5 are determined by internal system or designed convention). 

LOGICAL PROCESS — The collection of hardware resources and control 

information necessary for the execution of a process* 
ADDRESS SPACE (SEGMENTATION)— The set of logical addresses that the 
CPU is permitted to transform into absolute addresses during a 
10 particular process. Although a processor has the technical ability of 

addressing every single celFof timing memory, it is desirable to restrict 
access only to those cells that are used during the process associated with 
the processor. 

LOGICAL ADDRESS— An element of the process address space such as for 
15 example segment number SEG and Displacement D. 

BASIC ADDRESS DEVELOPMENT— A hardware procedure which operates 
on a number of address elements to compute an absolute address which 
is used to refer to a byte location in core. 
PROCESS CONTROL BLOCK—A process control block PCB, is associated 
20 with each process and contains pertinent information about its 

associated process, including the absolute address of tables defining the 
segment tables the process may access. 
J. P. TABLES— A collection of logical addresses for locating a process control 
block associated with a process. 
25 SEGpo — The segment which contains the procedure descriptor. 

SEGgr — The segment which contains the entry point, as found in the procedure 
descriptor. 

PRN — The process ring number* found in the instruction counter IC just before 
the call, or calculated by the ENTSR instruction. 
30 EAR — The effective address ring number which is the maximum of: 

(a) the process ring number PRN as found in the IC: or 

(b) all ring numbers in the base register and data descriptors (if any) 
found in the path which leads to the procedure descriptor from the call 
instruction, including the entry point ring number EPRN located in the 

35 procedure descriptor itself. 

MAXR — The maximum ring number at which a procedure may execute; MAXR 

is found in the segment descriptor of SEG^ 
WR — The minimum ring number at which a procedure may execute; WR is found 
in the segment descriptor of SEG,,. 
40 EP — Execution permit bit found in the segment descriptor of SEG^ 

CMRN — The caller's maximum ring number, as found in the first word of the 
segment SEG^, if this segment is identified as a gate segment (Le. with 
the code "gate'* set). 
NPRN — New process ring number. 
45 EPRN — Entry point ring number (found in the process procedure descriptor). 



22 



Addendum 



50 



55 



60 



Signal Name 

(1) WSCLR 

(2) PDARG 

(3) PDURGIT 

(4) UWOBK 

(5) UWHOL 

(6) UW1BK 

(7) UW00000 

(8) UW00010 

(9) UW00I00 
UW00110 

(10) UVSPS 



Type 

Control 
Control 
Connecting 

Connecting 
Control 

Control 



Control 



Function 

Gears register to which it is connected. 
Clock Sfgnal PDA. 

Pin connected to PDA at one end and 

resistor at the other. 
Expands inputs to UW register. 
Holds information in register to which it is 

connected. 
Same as UWOBK but is connected to 

different input terminal of UW register. 
Reset terminal of one flip-flop of register 

UW. 

Set terminal of flip-flop of register UW. 
Same as 7+8 but different flip-flop. 

Spare Control Input. 
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Signal Name 


Type 




L/ata 


(\2) UVOBK 


Expander 










IJV00100 




irvnm 10 




\ 1 **y UWV ID 


\_umroj 


(15) UWVID 


Data 


(16) UWV2F 


F/F 






UWV2S 




y 1 Un V | L-/ 


Data 


uwv in 




^-tvj uwv IL 


control 




rVintrnl 


UtViN to 


\-oniroi 


U KIN Zo 




f231 URN ID 


Data 


(24) URNSW 


Control 


(25) URN2F 


F/F 


(26) URN1H 


Control 


(27) URN2C 


Control 


(28) URW1S 


Control 


URW2S 




(29) URW1D 


Data 


(30) URV2F 


F/F 


(31) XNU 




(32) XOO 
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Addendum (cont) 

Function 
Spare Data Input. 

Same as UWOBK and UW1BK, but it 
connects different registers and gates. 

Same as UW00000, UWO0OIO, UW00100, 
UW00110, but applies to flip-flop UV. 

Control input for UWV IF. 

Data input for UWV IF. 

Write control flip-flop. 

Control unit for UWV IF, UWV2F. 

Data input for UWV IF. 
Hold UWV IF flip-flop. 
Clear UWV IF. 
Clear UWV2F. 

Control inputs for URNIF, URN2F. 

Data Input for URN IF. 
Transfer URN IF to URN2F and URN2Fto 
URNIF. 

Control loading max (UP, UBS2. 3 to UM). 
Hold URNIF flip-flop. 
Gear URN2F. 

Control inputs for URVlF, URV2F. 

Data Input for URVJF. 

Read control flop. 

Indicates terminal not used herein. 

Grounded Input. 
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WHAT WE CLAIM IS: — 

1. An internally programmed data 
processing apparatus CPU having a virtual 
memory system, and being responsive to 
internally stored instruction words for 
processing information and having stored in 
said virtual memory system a plurality of 
different types of groups of information 
each information group-type associated 
with an address space bounded by a 
segment having adjustable bounds, and 
comprising means for protecting the 
information in said-virtual memory system 
from unauthorized users by restricting 
accessability to the information in 
accordance to levels of privilege, said 
means comprising in combination with an 
access checking mechanism; 

(a) first means arranged in operation to 
store in said virtual memory system at feast 
one segment table comprising a plurality of 
segment descriptors with each segment 
descriptor being associated with a 
predetermined one of said segments and 
each segment descriptor having a 
predetermined format containing an access 
information element and a base address 
element in predetermined positions of said 
format, said base address element being 
used for locating in said virtual memory 
system the starting location of a selected 



one of said segments, and said access 
information element for specifying the 65 
minimum level of privilege required for a 
predetermined type of access that is 
permitted in a selected one of said 
segments; 

(b) a plurality of second means having a 70 
predetermined format, communicating 
with said first means, arranged to store in a 
predetermined portion of said second 
means, a segment number SEG for 
identifying a segment table and the location 75 
of a segment descriptor within said segment 
table, said second means also being 
arranged to store in a predetermined other 
portion of said second means, an offset 
address within the segment identified by go 
said segment descriptor said offset address 
locating from said segment base the first 
byte of a word within said segment; 

(c) third means responsive to an address 
syllable element of an instruction being $5 
executed for addressing one of said 
plurality of second means; 

(d) fourth means arranged to store a 
displacement from said address syllable, 

(e) ftfth means, communicating with said 90 
first, second, third and fourth means, 
arranged to add the displacement D and 

said base" address to said offset; and, 

(f) sixth means responsive to said access 
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information clement in a selected one of 
said segment descriptors, restricting the 
accessability to the segment associated with 
said selected one of said segment 
5 descriptors in accordance to the level of 
privilege and the type of access specified in 
said access information element, wherein 
each group-type of information is 
associated with a predetermined ring 

10 number indicative of a level of privilege 
said level of privilege decreasing as the 
associated ring number increases 
comprising means for determining the 
maximum effective address ring number 

15 EAR (i.e. minimum level of privilege) of a 
selected process to access a selected group 
of information, said means comprising; 

(a) first means to store first information 
indicating the maximum ring number RD 

20 (i.e. minimum level of privilege) required to 
read information from said selected group; 

(b) second means to store second 
information indicating the maximum ring 
number WR (i.e. minimum level of 

25 privilege) required to write information into 
said selected group; 

(c) third means to store third 
information indicating the maximum ring 
number MAXR (i.e. minimum level of 

30 privilege) required to process information 
from said selected group; and, 

(d) fourth means communicating with 
said first, second and third means, to 
determine the maximum of the contents of 

35 said first, second and third means whereby 
the effective address ring number EAR is 
generated. 

2. Apparatus according to claim 1, 
wherein said second means for storing the 

40 maximum ring number WR additionally 
indicates the minimum ring number WR 
(i.e. maximum level of privilege) required 
to process information from said selected 
group. 

45 3. Apparatus according to claim 1 or 
claim 2, wherein said fourth means to 
generate the effective address ring number 
comprises a comparator for comparing 
binary numbers. 

50 4. Apparatus according to any one of 
claims 1 to 3 wherein the sixth means 
restricting the accessibility to the segment 
includes comparator means, 
communicating with said second means, to 

55 compare the effective address ring number 
EAR with the write ring number WR, and 
further including means communicating 
with said comparator means to generate a 
write-violation-exception signal when EAR 

60 is greater than WR, 

5. Apparatus according to claim 4, 
wherein the sixth means restricting the 
accessibility to the segment includes seventh 
means, communicating with said second 

65 and third means thereof to. compare the 



maximum ring number MAXR and the 
write ring number WR with the effective 
address ring number EAR, and further 
including eighth means, communicating 
with said seventh means for generating an 70 
execute-violauon-exception signal when the 
MAXR is not equal or greater than EAR 
which in turn is not equal or greater than 
WR. 

6. Apparatus according to claim 5, 75 
wherein in that the sixth means restricting 

the accessibility to the segment includes 
ninth means, communicating with said first 
means, for comparing the effective address 
ring number EAR with the read ring 80 
number RD, and further including 
tenth means, communicating with said 
ninth means, to generate a read-violation- 
exeption signal when EAR is greater than 
RD. 85 

7. Apparatus according to claim 6, 
wherein in that the sixth means restricting 
the accessibility to the segment includes 
eleventh means to store a process ring 
number PRN of a currently executing 90 
process, and also including twelfth means 

to communicate with said eleventh means, 
and further including tliirteenth means 
communicating said said twelfth means for 
overriding said read- violation-exception 95 
signal when the effective address ring 
number EAR is equal to the process ring 
number PRN of the currently executing 
process. 

8. Apparatus according to any one of the 100 
preceding claims wherein the access 
checking mechanism supervises transfer of 
control of said CPU from a fust selected 
procedure (Lc. caller) having a first ring 
number indicative of a minimum level of 105 
privilege associated with said caller, to a 
second selected procedure (Le. the callee) 
having a second ring number associated 
with said callee indicative of a minimum 
level of privilege associated with said 110 
callee, said access checking mechanism 
comprising 

(a) first means for checking the caller's 
right to call the callee; 

(b) second means, communicating with 115 
said first means, to compare the caller's 
ring number to the callee s ring number; 

(c) third means responsive to said second 
means to permit a transfer of control of said 
CPU from said caller to said callee when 120 
the ring number of the caller is greater than 

the ring number of callee (i.e. inward call); 
and, 

(d) fourth means also responsive 

to said second means to deny a 125 
transfer of control of said CPU 
from said caller to said callee when 
the ring number of said caller is less than 
the ring number of the callee (i.e. outward 
call), 130 



1,483,282 



25 



25 



9. Apparatus according to claim 8, 
wherein the access checking mechanism 
includes a plurality of ring stack-segment 
means each of said ring stack-segment 
5 means having associated with it a ring 
stack-segment number, indicative of the 
minimum level of privilege required by a 
selected one of said procedures to access a 
selected one of said ring slack segments. 

10 10. Apparatus according to claim 9 
wherein there are four ring stack segment 
means having ring numbers 0 to 3 
respectively. 

11. Apparatus according to claim 9 or 

15 claim 10 wherein the access checking 
mechanism includes stack-frame-element 
means associated with selected ones of said 
procedures, said stack-frame-element 
means being grouped within said ring stack- 

20 segment means in accordance with the ring 
number of the associated procedure of said 



stack-framc-element means, said stack 
frame element means to save said register 
of said caller prior to passing control to said 
callce. 25 

12. Apparatus according to claim ll t 
wherein the access checking mechanism 
includes first sub-element means, 
responsive to said first, second, third and 
fourth means, for communicating between 30 
a selected one of said stack-frame-means in 
a first ring stack-segment being associated 
with one ring number, and a selected other 
of said stack-frame-means in a second ring 
stack-segment associated with another ring 35 
number. 
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